Chromium NoScript breaks JavaScript - script-src-elem

This issue has been tracked since 2022-02-08.

Example test page where this is happening: https://www.whonix.org/wiki/Testpage5

It breaks the CodeSelect copy button.

browser console:

SyncMessage.js:255 syncMessage error in https://www.whonix.org/wiki/Testpage5: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'https://[ff00::]/nscl/chrome-extension://doojmbjmlfjjnbmnoijecmcbfeoakpjm/syncMessage?id=8f4f20b094.f3f%2Chttps%3A%2F%2Fwww.whonix.org%2Fwiki%2FTestpage5&url=https%3A%2F%2Fwww.whonix.org%2Fwiki%2FTestpage5&top=true&msg=%7B%22id%22%3A%22fetchPolicy%22%2C%22url%22%3A%22https%3A%2F%2Fwww.whonix.org%2Fwiki%2FTestpage5%22%2C%22contextUrl%22%3A%22https%3A%2F%2Fwww.whonix.org%2Fwiki%2FTestpage5%22%7D'. (response )
browser.runtime.sendSyncMessage @ SyncMessage.js:255
fetchPolicy @ staticNS.js:99
(anonymous) @ staticNS.js:76
Testpage5:6 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src-elem 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-oHSGKuuE8Kdea012Pc/voSq6jcGbBj/Ai7OSQu3S1h0='), or a nonce ('nonce-...') is required to enable inline execution.

Testpage5:9 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src-elem 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-UyWNKuSjqtFkgWN+88VsaM+2YmdYTZY18yeDD8aZEvA='), or a nonce ('nonce-...') is required to enable inline execution.

Testpage5:1 Refused to load the script 'https://www.whonix.org/w/load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector' because it violates the following Content Security Policy directive: "script-src-elem 'none'".

Testpage5:544 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src-elem 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-LGIsqS2N3HEoHIbuKR7xrjLSMvk039kIXJiyrkKjwnU='), or a nonce ('nonce-...') is required to enable inline execution.

Testpage5:588 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src-elem 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-olDfO1rDscrbx2SOuGs9YqFg6ooSOlSgKb9RDo54otY='), or a nonce ('nonce-...') is required to enable inline execution.

  • Chromium (from flatpak) version: Version 98.0.4758.80 (Official Build) (64-bit)
  • NoScript version: 11.2.19
  • All other extensions disabled? Yes, only using NoScript.
  • Works with Firefox without NoScript? Yes, functional.
  • Works with Firefox + NoScript? Yes, functional.
  • Works with Chromium without Noscript? Yes, functional.
  • Works with Chromium + NoScript? No, broken.

server CSP:

curl --silent --head https://www.whonix.org/wiki/Testpage5 | grep content-security-policy:

content-security-policy: default-src 'none'; connect-src 'self'; script-src 'self' https://.whonix.org 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://.whonix.org 'unsafe-inline'; img-src 'self' data: https://.whonix.org; font-src 'self' https://.whonix.org;

CSP script-src-elem isn't set on the server but there shouldn't be any hard requirement for it because it is functional without Noscript also also because it has a fallback to default-src and script-src. (For testing I've also tried setting script-src-elem on the server as a workaround but that didn't work either.)

Maybe related:
#114

baconwaifu wrote this answer on 2022-02-09

Can confirm, seeing this bite cloudflare's DDoS protection pages.

Another note: The site in question had no CSP header (or meta tags), and chrome wasn't letting me see where it was getting the applied CSP from, much less what it is. I also noticed SyncMessage related errors and warnings in the console.

hackademix wrote this answer on 2022-02-09

It's fixed in 11.2.21, now in the Chrome Store. Thanks for reporting.

adrelanos wrote this answer on 2022-02-09

Thank you!

Functionality restored after update.

I am still getting the same messages in the browser console with noscript enabled and scripts blocked. But no broken functionality discovered yet. Not sure that is expected, should be reported or not.

adrelanos wrote this answer on 2022-02-09

I am still having this issue but to a lesser degree.

Using Chromium with NoScript version 11.2.21.

Instructions for reproduction of the issue:

  1. go to https://www.whonix.org/wiki/Testpage13
  2. middle click on "Link to Testpage5."
  3. JavaScript (copy button) is broken. Same script-src-elem error messages.
  4. when I reload the page (F5 button), the website is functional

Non-issue (functional):
middle click on "Link to Testpage5." directly from here, github. That works.

More Details About Repo
Owner Name hackademix
Repo Name noscript
Full Name hackademix/noscript
Language JavaScript
Created Date 2018-06-30
Updated Date 2022-12-03
Star Count 573
Watcher Count 21
Fork Count 79
Issue Count 151

YOU MAY BE INTERESTED

Issue Title Created Date Updated Date