More extension puzzles

Since Haploid solved my previous puzzle way too fast, here is another one: what is that page really trying to load? And why is it that NoScript and Adblock Plus disagree so much on that — none of the dozen domains NoScript is showing show up in Adblock Plus and the one request showing up in Adblock Plus doesn’t show in NoScript.

NoScript displaying weird domains

Comments

  • Giorgio Maone

    I’ll solve it for you: NoScript has been reporting every supposed script source (not necessarily a “request”) on a page even before it implemented a content policy. Therefore, in addition to the ones detected from its nsIContentPolicy implementation, it shows the “site” (which can be the 2nd level domain, or the full domain or the prepath, depending on user’s preferences) for every src attribute of SCRIPT elements (even if they actually won’t load code, which is an arguably rare case on real world pages).
    On the other hand, NoScript filters out those “sites” which don’t make sense in its UI: Reporting view-source: for script permissions is quite pointless, isn’t it?

    P.S.: my AdBlock Plus 1.0.1 reports “no blockable items”. Is this expected (you wrote “the one request”)?

    Wladimir Palant

    Note that view-source: actually loads – if you disable NoScript. And then Adblock Plus also reports it.

  • Dave

    I have a question: what happens inside Firefox, when this page is loaded?

    Is Firefox ignoring the ba* things because it doesn’t know what a type=“not/a/script” is? Will it load/request those items (if they would be real adresses/scripts)?

    Will Firefox execute the “view-source” script? Or is the script only requested, without any further action?

    Thanks!

    Wladimir Palant

    Firefox is ignoring the scripts if it doesn’t know the type – like it would ignore type=“vbscript” for example. No requests and no downloads in this case. As to view-source: script – yes, it is loaded and executed, I verified that.

  • Aerik

    Looks like Giorgio fixed Noscript 1.9.0.5 so your spoof page doesn’t trigger any more. And thanked you, too.

    Wladimir Palant

    No, he fixed the issue from the previous blog post. On that spoof page NoScript still shows all the various scripts – except the one that is really being loaded.

  • Giorgio Maone

    @Aerik, @Wladimir:
    In facts the previous issue was the only one who deserved immediate attention, for obvious reasons (a 20 seconds hang is not a vulnerability, but it’s surely annoying). And just to clarify Wladimir’s previous answer to Dave, NoScript blocks the view-source: script anyway, even if it’s not displayed in the UI.

    P.S.: AdBlock Plus is not infallible at reporting every script source either, but it also doesn’t block the ones it cannot show.