Doesn't seem to work with NoScript :(

m c reporter

I reported this on NoScript forum too, and the discussion went as follows:

Does anything appear in the Browser Console (Ctrl+Shift+J)?

Just this:
: Component returned failure code: 0x805e0007 [nsIWebNavigation.loadURIWithOptions] browser.xml:154:0
OK I've disassembled Markdown Editor, and I think I see what's going on. The preview is done by dynamically loading data: URIs:
       var conv = new Showdown.converter(),
           wn = Components.interfaces.nsIWebNavigation;
       var html = conv.makeHtml(textbox.value);
       var data = "data:text/html;charset=utf-8," + escape(html);

       //browser.loadURI(data, wn.LOAD_FLAGS_DISALLOW_INHERIT_OWNER, "utf-8");
       browser.loadURIWithFlags(data, wn.LOAD_FLAGS_DISALLOW_INHERIT_OWNER, null, "utf-8", null);
IIUC whats going on, it's that "LOAD_FLAGS_DISALLOW_INHERIT_OWNER" is causing the data: URIs to lose origin info, and NoScript completely blocks data: URIs that aren't originate from a trusted source.

No idea what's best to do about this, here are some possibilities:

Markdown Editor's code is unfinished some places and suboptimal others (is it REALLY needed to validate URLs with a hairy regexp that ignores schemes other than http/https/ftp? Is there nothing directly provided by Gecko that can validate a URL?). Anyway.. Markdown Editor could change its approach, for example set innerHTML property instead.

Can Markdown Editor be run as a standalone application via XULRunner? Or run it in its own profile? (Or is functionality lost that way?)

Can this possibly help you make it work with NoScript?

2016-03-12T19:59:29+00:00

Comments (1)

m c reporter
I reported this on NoScript forum too, and the discussion went as follows:
Does anything appear in the Browser Console (Ctrl+Shift+J)?

Just this:
: Component returned failure code: 0x805e0007 [nsIWebNavigation.loadURIWithOptions] browser.xml:154:0
OK I've disassembled Markdown Editor, and I think I see what's going on. The preview is done by dynamically loading data: URIs:
var conv = new Showdown.converter(), wn = Components.interfaces.nsIWebNavigation; var html = conv.makeHtml(textbox.value); var data = "data:text/html;charset=utf-8," + escape(html); //browser.loadURI(data, wn.LOAD_FLAGS_DISALLOW_INHERIT_OWNER, "utf-8"); browser.loadURIWithFlags(data, wn.LOAD_FLAGS_DISALLOW_INHERIT_OWNER, null, "utf-8", null);
IIUC whats going on, it's that "LOAD_FLAGS_DISALLOW_INHERIT_OWNER" is causing the data: URIs to lose origin info, and NoScript completely blocks data: URIs that aren't originate from a trusted source.

No idea what's best to do about this, here are some possibilities:
- Markdown Editor's code is unfinished some places and suboptimal others (is it REALLY needed to validate URLs with a hairy regexp that ignores schemes other than http/https/ftp? Is there nothing directly provided by Gecko that can validate a URL?). Anyway.. Markdown Editor could change its approach, for example set innerHTML property instead.
- Can Markdown Editor be run as a standalone application via XULRunner? Or run it in its own profile? (Or is functionality lost that way?)
Can this possibly help you make it work with NoScript?
- 2016-03-12T19:59:29+00:00
Log in to comment