NoScript inconsistent behaviour in Firefox 77 (currently beta)
While working on fixing the testsuite (#27105 (moved)) I ran into some inconsistent blocking behaviour of NoScript in a Tor Browser WIP build based on Firefox 77 beta.
Basically, the issue is that with Tor Browser
Safer NoScript configuration when visiting a
http: page (containing a https: iframe) and then going to the
After some effort, I managed to reproduce in current Firefox 77 beta directly, more specifically:
f2e0df68e569b43ca337535927ed63068ed01c664eea7e397378cae668f63d0a firefox-77.0b9.tar.bz2. Tested with NoScript 11.0.26 and 11.0.25.
Steps to reproduce (in a fresh profile):
Install NoScript addon.
Go to NoScript options page (either via about:addons or via NoScript toolbar badge).
Enable "script" option and "Cascade top document's restrictions to subdocuments" in the General + Default tab.
Still in General, go to "UNTRUSTED" and enable "frame".
Go to "Per-site permission" tab and add a new rule: "http:" and mark it as "untrusted" (basically, setting non-https pages as untrusted).
Open a new tab and visit http://alltaken.xyz/https_iframe.html
When loaded, open a new tab and visit https://alltaken.xyz/https_iframe.html