After upgrading to FF47, "null" destination appears on some sites and functionality is broken

[fzimmerm]

Version: 1.0.beta12.1

Steps to reproduce:

1. Create a new Firefox profile
2. Set RP's default policy to "deny"
3. Visit http://gbatemp.net/review/mighty-no-9.467/
4. Allow *.cloudflare.com
5. Scroll down and try to click on one of the image thumbnails

What happens?

1. The image opens in a modal, all images scroll by very quickly and the modal closes.
2. Notice how "null" appears as a destination. Allowing requests to it doesn't fix the issue.

What should happen?

1. A modal showing the image and allowing navigation between images should appear.

Other, similar bug:

Steps to reproduce:

1. Create a new Firefox profile
2. Set RP's default policy to "deny"
3. Install and enable the rikaichan add-on and a dictionary.
4. Open a page with japanese characters and hover over a kanji character.

What happens?

1. Instead of a pop-up with the translation being displayed near the cursor, an unformatted translation is displayed at the bottom of the page.
2. Notice that "rikaichan" appeared as a destination. Globally allowing requests to it seems to fix the problem.

What should happen?

1. A pop-up with the translation should appear near the cursor.

[myrdd]

Okay, seems like these are two issues. Both issues are independent of the Firefox version, i.e. they are also an issue on Fx45-esr. However, both issues have been introduced by commit d1f6976. I already expected this would break something. Thank you for reporting.

In the first issue, a request to "about:blank" is made. The fix will be to globally allow requests to "about:blank" again. Fyi, you can read about about:blank in the NoScript FAQ.

The rikaichan add-on causes a request from the website's url to chrome://rikaichan/skin/popup-blue.css. This request should be allowed in case the rikaichan add-on is installed.

I'm planning to release a hotfix this weekend. Until then, please use beta11.1 to work around the first issue.

[myrdd]

Regarding the second issue, I'm going to allow chrome://*/skin/, since other Add-ons need this as well (see e.g. this review).

Allowing chrome://*/skin/ seems to be safe; it looks like Fx does security checks on "chrome" uris. See this screenshot of my test:

The site tries to show an image with the given URI. The error message is Security Error: Content at http://www.maindomain.test/internal-destinations_1.html may not load or link to chrome://rpcontinued/skin/requestpolicy-icon-blocked.png., and RP is not even asked whether the request should be allowed.

[myrdd]

Should be fixed in 1.0.beta12.2 and 1.0.beta12.2.1508.rbb94a69.pre.