Is there a way to disable javascript in local file:// for firefox?

[vzjrz]

Just noticed that javascript runs on local html files. My rules:

matrix-off: about-scheme true
matrix-off: behind-the-scene true
matrix-off: chrome-extension-scheme true
matrix-off: chrome-scheme true
matrix-off: localhost true
matrix-off: opera-scheme true
* * * block
* * cookie block
* * frame block
* * plugin block
* 1st-party css allow
* 1st-party image allow

Noscript does seem disable local js.

[Snapy]

Remove matrix-off: localhost true.

[vzjrz]

@Snapy I tried removing that rule but it still runs js. I even removed everything except * * * block and still nothing.

[ghost]

Why you just dont try modify the javascript.enable=false preference inside the about:config ?

[vzjrz]

@debiangirl Yeah that would disable javascript everywhere but it wouldn't allow me to quickly control it on a case by case basis like I do with umatrix.

[Thorin-Oakenpants]

What does file-scheme file-scheme script block do?

[gorhill]

uMatrix/uBO inject a content security policy ("CSP") directive in response headers to prevent inline script tags from executing. I verified that with Chromium/Firefox, their respective handler for response headers is not invoked -- hence no CSP can be injected.

[Atavic]

@vzjrz addons like maone's no script can block/unblock JS with an icon.

[gorhill]

@Atavic: that does not work with NoScript 10, which is webext-based like uMatrix.

[Atavic]

Ajjj... Right. What about policy-control

AMO

[Thorin-Oakenpants]

@gorhill : quick question (semi related i think, please don't shoot me). See ghacks-user.js issue, Bugzilla 1368682 etc. No one is sure yet if this is a problem in web content, but it certainly can be done manually eg entering C:\$MFT\foo - anyway to block this in uM or uBo?

Edit: https://www.bleepingcomputer.com/news/microsoft/filesystem-bug-hangs-or-crashes-windows-7-and-windows-8-1/
^^ probably explains it nicely. No one is sure if this bit "or the path is secretly loaded in the background of a web page, as an image's source URL" can be accomplished, see bugzilla, ghacks issue comments

[gorhill]

anyway to block this in uM or uBo?

This would need to be tried -- see what the logger reports. If the logger reports the URL, then it should be blockable. I don't have Windows, so I can't try.

[gorhill]

The new NoScript succeeds in blocking JS from file: URL. I looked into it and it does so by injecting the CSP directive through a <meta http-equiv...> in the DOM at document_start time -- clever.

I will bring this technique to uMatrix. Note that this would still not solve the case for Chromium, this is possible in Firefox because it supports registering content scripts dynamically.