Allowing only HTTPS JavaScript on the medium security slider level is broken
In
isGlobalHttps: function(win, /*optional */ s) {
let allow = false;
if (s && !this._isHttpsAndNotUntrusted(s)) return false;
for (;; win = win.parent) {
let site = this.getSite(this.getPrincipalOrigin(this.getPrincipal(win.document)));
if (!(allow = s && site === s || this._isHttpsAndNotUntrusted(site)) || win === win.parent)
break;
s = site;
}
return allow;
},
let site = this.getSite(this.getPrincipalOrigin(this.getPrincipal(win.document)));
breaks as win
is null
.
This happens on a Tor Browser nightly with e10s enabled and based on ESR52 (tested on Linux 64 bits). The result is that the NoScript icon does not get updated anymore and I guess all JS is disabled (I have not verified that).