Svetlana Tkachenko <[email protected]> writes:
>> LibreJS version: 7.20.2 >> >> Browser version: Parabola's Iceweasel 81.0.2-1 >> >> Actually affected versions: all LibreJS versions for Firefox Quantum (60 >> onwards) and its derivatives >> >> Steps to reproduce: >> 1. Save any page together with nonfree scripts to an html file. You can >> also write one from scratch or use the one I trained drag&drop on (added >> as an attachment). >> 2. Open the file in Your browser with LibreJS enabled (put >> file:///<path-to-html-file> in the URL box). >> 3. You can also try accessing ftp:// URLs or other ones. >> >> Expected behaviour: LibreJS blocks the javascript in that html file or >> marks it as free or marks it as trivial. >> >> Actual behaviour: Scripts happily execute and LibreJS doesn't even know >> about them. >> >> Reason: LibreJS relies solely on the WebRequest API to block scripts and >> the API only works for HTTP(S). >> >> Workaround: Use NoScript or some other extension. >> >> My remarks: >> The developers must have deliberately omitted a crucial functionality >> from the extension. That's not the worst, however. A bigger problem is >> that the entire concept behind LibreJS is flawed. But this mail is not >> the right place to paste my essay about that. > > Has this been fixed? I'm pretty sure it hasn't. Are there other protocols that are widely used? ftp: has been removed, file: is kind of a special case.
