[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LibreJS fails to block nonfree scripts on pages served through other
|
From: |
Ian Kelling |
|
Subject: |
Re: LibreJS fails to block nonfree scripts on pages served through other protocols than http(s) |
|
Date: |
Wed, 12 May 2021 23:06:03 -0400 |
|
User-agent: |
mu4e 1.5.7; emacs 28.0.50 |
Svetlana Tkachenko <svetlana@members.fsf.org> writes:
>> LibreJS version: 7.20.2
>>
>> Browser version: Parabola's Iceweasel 81.0.2-1
>>
>> Actually affected versions: all LibreJS versions for Firefox Quantum (60
>> onwards) and its derivatives
>>
>> Steps to reproduce:
>> 1. Save any page together with nonfree scripts to an html file. You can
>> also write one from scratch or use the one I trained drag&drop on (added
>> as an attachment).
>> 2. Open the file in Your browser with LibreJS enabled (put
>> file:///<path-to-html-file> in the URL box).
>> 3. You can also try accessing ftp:// URLs or other ones.
>>
>> Expected behaviour: LibreJS blocks the javascript in that html file or
>> marks it as free or marks it as trivial.
>>
>> Actual behaviour: Scripts happily execute and LibreJS doesn't even know
>> about them.
>>
>> Reason: LibreJS relies solely on the WebRequest API to block scripts and
>> the API only works for HTTP(S).
>>
>> Workaround: Use NoScript or some other extension.
>>
>> My remarks:
>> The developers must have deliberately omitted a crucial functionality
>> from the extension. That's not the worst, however. A bigger problem is
>> that the entire concept behind LibreJS is flawed. But this mail is not
>> the right place to paste my essay about that.
>
> Has this been fixed?
I'm pretty sure it hasn't. Are there other protocols that are widely
used? ftp: has been removed, file: is kind of a special case.