Broken images with script blocking

I’ve noticed recently that, with Firefox and NoScript, embedded images often aren’t showing up unless I enable scripts for the site in question - for instance, if an image came from tumblr.com, I’d have to enable scripts for Tumblr to see them. Is this a Discourse bug or a NoScript bug?

Discourse is 100% JavaScript and has always been, so if you disable JavaScript here, You’re Gonna Have a Bad Time™

1 Like

I don’t have anything related to the BBS itself blocked. I’m talking about images embedded from some (but not all) third-party sites. I’ll have to dig up some examples…

Here’s one… the image only shows up if I enable regmedia.co.uk:

Are some sites hiding their images behind scripting now? That’s kind of evil…

No, it’s this HTML

<div class="aspect-image" style="--aspect-ratio:648/432;">
<img src="https://regmedia.co.uk/2018/06/15/shutterstock_fingerprint.jpg" class="thumbnail">
</div>

Requesting an image from a remote site doesn’t activate any JavaScript from the remote site, how could it really?

However if you have visited that site before, the request will send cookies from that domain in the headers to the GET request for the image.

So then, this seems to be a NoScript bug. It still seems weird that I’d have to enable scripting to see a simple HTML-requested image from a third-party site.

If this is a policy change by the NoScript authors, I guess I better learn how to use uMatrix…

ETA: I tried deleting the relevant cookies, and it made no difference. Argh.

I’m really not sure, but it is a plain vanilla image tag. Is that domain blocked for you somehow?

Not blocked per se, but the domain is (unless I temporarily enable it) affected by the default NoScript settings. The same applies for other third-party images; I marked Facebook as untrusted on general principle, so any image hosted by Facebook shows up broken.

I normally don’t enable (i.e. mark as trusted) any but a select few sites permanently.

I have the same problem with noscript. It might be something to do with the XSS protection noscript has turned on by default.

1 Like