|
From: | Svetlana Tkachenko |
Subject: | Re: LibreJS fails to block nonfree scripts on pages served through other protocols than http(s) |
Date: | Tue, 11 May 2021 11:12:24 +1000 |
User-agent: | Cyrus-JMAP/3.5.0-alpha0-448-gae190416c7-fm-20210505.004-gae190416 |
> LibreJS version: 7.20.2 > > Browser version: Parabola's Iceweasel 81.0.2-1 > > Actually affected versions: all LibreJS versions for Firefox Quantum (60 > onwards) and its derivatives > > Steps to reproduce: > 1. Save any page together with nonfree scripts to an html file. You can > also write one from scratch or use the one I trained drag&drop on (added > as an attachment). > 2. Open the file in Your browser with LibreJS enabled (put > file:///<path-to-html-file> in the URL box). > 3. You can also try accessing ftp:// URLs or other ones. > > Expected behaviour: LibreJS blocks the javascript in that html file or > marks it as free or marks it as trivial. > > Actual behaviour: Scripts happily execute and LibreJS doesn't even know > about them. > > Reason: LibreJS relies solely on the WebRequest API to block scripts and > the API only works for HTTP(S). > > Workaround: Use NoScript or some other extension. > > My remarks: > The developers must have deliberately omitted a crucial functionality > from the extension. That's not the worst, however. A bigger problem is > that the entire concept behind LibreJS is flawed. But this mail is not > the right place to paste my essay about that. Has this been fixed?
[Prev in Thread] | Current Thread | [Next in Thread] |