Skip to content

NoScript inconsistent behaviour in Firefox 77 (currently beta)

While working on fixing the testsuite (legacy/trac#27105 (moved)) I ran into some inconsistent blocking behaviour of NoScript in a Tor Browser WIP build based on Firefox 77 beta.

Basically, the issue is that with Tor Browser Safer NoScript configuration when visiting a http: page (containing a https: iframe) and then going to the https: version of the same page results in JavaScript being blocked, but it should not be. Manually reloading the https: page results in JavaScript being executed correctly.

After some effort, I managed to reproduce in current Firefox 77 beta directly, more specifically: f2e0df68e569b43ca337535927ed63068ed01c664eea7e397378cae668f63d0a firefox-77.0b9.tar.bz2. Tested with NoScript 11.0.26 and 11.0.25.

Steps to reproduce (in a fresh profile):

  • Install NoScript addon.

  • Go to NoScript options page (either via about:addons or via NoScript toolbar badge).

  • Enable "script" option and "Cascade top document's restrictions to subdocuments" in the General + Default tab.

  • Still in General, go to "UNTRUSTED" and enable "frame".

  • Go to "Per-site permission" tab and add a new rule: "http:" and mark it as "untrusted" (basically, setting non-https pages as untrusted).

  • Open a new tab and visit http://alltaken.xyz/https_iframe.html

  • When loaded, open a new tab and visit https://alltaken.xyz/https_iframe.html

  • Result: JavaScript is blocked, but it should not be. When the page is manually reloaded (press F5), the script is executed correctly, and the JavaScriptEnabled text is displayed.