Noscript bypass ?

[StevieO]

I had Scripting and Java disabled with Noscript in FF v3.0.12, and still videos started automatically playing on this www. Lots of Javascript in the source, but how can that happen ?

Just 1 example

http://www.5min.com/Video/Beware-of-...Tech-126844687

[Cudni]

i can't replicate. does noscript show all scripts block icon?

[StevieO]

Yes ?

[Cudni]

this is what i see on that page

[tsec]

Quote:

Originally Posted by ssj100

Same here.

Ditto

[tlu]

Quote:

Originally Posted by Cudni

this is what i see on that page

Same here. StevieO, something must be misconfigured or broken on your system. Have you tried a new profile?

[Mrkvonic]

Maybe some scripts are partially allowed?
Mrk

[Gizzy]

Do you have flash disabled too?

I noticed in Opera this video works with javascript disabled but flash enabled.

EDIT: I just tried in firefox and it doesn't play the way I have noscript setup,
But if I uncheck "Forbid Adobe Flash" under the plug-ins tab in the noscript settings then it isn't blocked.

[Masterton]

Quote:

Originally Posted by Cudni

this is what i see on that page

Same as Cudni.

The problem might be:

• You haven't checked "forbid Adobe Flash" in NoScript Options > Plugins
• The video is somehow hosted elsewhere and you have this domain whitelisted

[StevieO]

When i checked the white list i started to think it may be due to those yimg ytming entries, so i removed them, no difference.

Then i saw the new posts and disabled Flash, which i thought i had after the last time i used it, and that did the trick, so Thanx for that.

The thing is, i thought Flash relied on Scripting in order to work. I know for a fact on every other www i've been to with Flash i get a notice that the page etc wont display properly etc.

So i'm not quite sure what's happening with FF and Flash. Could this be potential vulnerability vector if it works without Scripting ?

Also tested the link with IE, see screenie. What's ActiveX got to do with it if it's a Scripting issue, as you don't need ActiveX in FF to view, or Scripting it seems ?

In which case why do all those www's show that those things are required to view in various Browsers ?

Thanx to all who responded.

[Trespasser]

Quote:

Originally Posted by Cudni

this is what i see on that page

Same here as well.

Later...

[TonyW]

By default, NoScript appears to block the Flash objects until allowed. I've never tinkered with the Plugins tab in Options; it's ticked here.

[Ocky]

If you are running Adblock Plus as well, and have these filters..
*ads*
*advert*
*banner*
....there will be no blocked script icons shown and no video, you will see a message to download flashplayer.
Without those filters No Script blocked script icons are shown (as they should).
You will see a red exclamation mark in Adblock Plus filter rules next to those
abovementioned filters warning that they are too short, unreliable, and may
slow down browsing.

[wardner]

Flash is blocked by default in NoScript, resetting NS to default settings will do the trick, possibly reinstating other security options disabled inadvertently (3rd button from the left at the bottom)