?

Log in

No account? Create an account
Dear Lazyweb: Help me kill misused "noscript" tags. - Adventures in Engineering — LiveJournal
The wanderings of a modern ronin.

Ben Cantrick
  Date: 2006-09-12 02:34
  Subject:   Dear Lazyweb: Help me kill misused "noscript" tags.
Public
  Mood:old 'n cranky
  Music:those damn kids playing on my lawn

So here's the deal: A lot of web designers assume that a JavaScript enabled browser is a given, and their only concession to us who don't play that, is a line in the master HTML page template for the site that reads something like:

<noscript><META HTTP-EQUIV="refresh" content="0;URL=http://www.site.com/error.htm"></noscript>

The amusing irony is that most of the time, the pages do degrade reasonably and could be viewed with a JS disabled browser. But thanks to the noscript tag, you don't get to see even the degraded page. The browser automatically takes you to the error page when you try and load any page on the site.

So what I want is, a way to tell my browser to temporarily NOT honor noscript tags. Or to re-write them so they're not noscript tags any more. Or anything else that would allow me to ignore noscript tags and see the contents of the page. And decide for myself if I need to have JavaScript or not.

Anyone know how to do it? Preferably for Firefox if that's possible.

Tried several Google searches with different terms, but didn't find anything that looked useful. Maybe I'm just using the wrong terms. I swear someone must have made a GreaseMonkey script to do this, but I can't find it...



Edit: Here's an easy GreaseMonkey script to comment out <noscript> tags:

var tags = document.getElementsByTagName("noscript");

for(var i=0; i<tags.length; i++) {
tags[i].outerHTML = "<!-- " + tags[i].innerText + "//-->";
}


It doesn't work. Know why? Because you have to enable JavaScript for THE WHOLE PAGE in order to get a GreaseMonkey script on the page to run! Talk about "unclear on the concept" - in order to run a GreaseMonkey script, to kill <noscript> tags, I have to enable JavaScript, which automatically kills <noscript> tags! AHHHHHHHHHH!!! (Shoots self in head!)

The only real way around this is to make my script into an extension. Firefox Extensions are written in JavaScript, but they run in a different way than JavaScript on a HTML page does. An extension will allow me to run this code without running afoul of NoScript's (very correct, and desired) ability to kill all JavaScript on a page. Yup, gonna be making another one of them-there EXTENSION thingies. At least I know about the GreaseMonkey Script -> Firefox Extension Complier this time...

Now all I need to do, to complete the stupidity cycle, is create an extension that will run user scripts (in spite of NoScript) when GreaseMonkey requests it. Eesh! Quoth jwz: "This is only "free" if your time has no value."




Adding an event listener will work, but it's a very bad idea from a security perspective:

This also would be terribly insecure, because of the extra APIs that GM scripts get access to, and the fact that this would expose them to content pages.

-GMDev mailing list


GreaseMonkey version after 0.5 use some special FF API calls (http://developer.mozilla.org/en/docs/XPCNativeWrapper) to apply GM scripts to a web page with relative safely:

The new methods used in GM post-0.5 to increase security take advantage of new methods that FF 1.5 provide, (to the best of my knowledge) and it really won't work on FF 1.0.

-GMDev mailing list

So basically, you have to upgrade to FF 1.5 or later, and then upgrade to GreaseMonkey 0.5+, and then things will work despite normal scripts on the page being disabled by NoScript.

Not the solution I was hoping for, but at least it's a solution.
Post A Comment | 4 Comments | | Link






  User: nickhalfasleep
  Date: 2006-09-13 02:16 (UTC)
  Subject:   (no subject)
Dunno but it looks like it would have to be a full plugin.
Reply | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-09-13 03:50 (UTC)
  Subject:   (no subject)
Yes, it definitely has to be a full-fledged extension. That's what the greasemonkey script -> extension compiler does.

The question now is, why doesn't my script (that works in GreaseMonkey if I enable JScript) STOP working when I make it an extension...
Reply | Parent | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-09-13 06:27 (UTC)
  Subject:   Answering my own question...
There are two ways to attach an event listener to an element. First, by using an attribute with script as its value. Second, by calling an element's addEventListener method. The former may only handle bubbling events but tends to be simpler to write. The latter can handle events at any phase and may also be used attach multiple listeners for an event to an element. Using the attribute form is more common for most events.

http://xulplanet.com/tutorials/xultu/events.html

var scriptElm = e.originalTarget.createElement("script");
var text = "//===killnoscriptbasedonkillblink===\n" + getContents("chrome://killnoscriptbasedonkillblink/content/javascript.js") + "\n\n";
scriptElm.appendChild(e.originalTarget.createTextNode(text));
e.originalTarget.body.appendChild(scriptElm);
e.originalTarget.body.removeChild(scriptElm);


-"kill noscript" extension's browser.js, which is code auto-supplied from the Greasemonkey -> Extension translator.


Briefly, the code that the GM -> Extension translator uses simply inserts a "script" element into the page you're looking at. Exactly what GM does, and exactly what WON'T work if, like a sane human being, you keep JavaScript disabled.


Next: How to fix it.
Reply | Parent | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-09-13 07:31 (UTC)
  Subject:   The final answer!
var appcontent = window.document.getElementById("appcontent");
// Execute initialize before a page is loaded
if(appcontent) {
appcontent.addEventListener("DOMContentLoaded", anyPreviouslyDefinedFunction, false);
}


-http://www.pragmatically.net/articles/2005/08/25/hacking-firefox-removing-javascript-security-restrictions-by-injecting-javascript

Briefly, this will run "anyPreviouslyDefinedFunction()" after the page source has loaded, but before images load. When this code is run from within browser.xul (as it would be if it were installed as an extension), anyPreviouslyDefinedFunction() will run with the same kind of permissions as all other brower "chrome" aka UI elements. Meaning in theory it could do anything that any option in any of the browser's menus can.
Reply | Parent | Thread | Link



browse
May 2015