noscript icon indicating copy to clipboard operation
noscript copied to clipboard
verified publisher icon hackademix

static.wixstatic.com scripts/assets not surfaced by NoScript - dynamic sections appear blank unless domain manually allowed, but it isn't listed in NoScript dropdown

Open Gliktch opened this issue 9 months ago • 1 comments

Firefox 138.0.4 on Linux Mint 22.1 and NoScript 13.0.6

On some Wix-powered websites (e.g. https://www.silvertonpsych.com/), content sections fail to render unless static.wixstatic.com is manually whitelisted. In the Silverton case, this includes profile images, bio text, and social/profile links in the "Meet the Team" block.

NoScript does not list static.wixstatic.com in the permissions UI, so users may allow all visible domains and still see a blank area with no indication that NoScript is the culprit. Manually allowing static.wixstatic.com resolved the issue for me, and despite that I don't have wix.com, wixpress.com or wixapps.net allowed (those all show up in the dropdown after wixstatic is allowed and page reloaded), the bio section now loads and displays correctly.

Steps to Reproduce:

1. Visit https://www.silvertonpsych.com/ with NoScript enabled.
2. Allow all visible domains. 3. Scroll to the Meet the Team section.
4. Only the heading and a short horizontal rule render - bios, images, and profile links do not appear.
5. Manually allow 'static.wixstatic.com'.
6. Reload - full content now appears correctly, including images ('<wow-image>'), bios, and outbound profile links.

Hope that helps - must be some weirdness with how Wix is trying to dynamically load stuff, but I'm at the extent of my knowledge getting to this point. Someone who knows more about AJAX or whatever other sorcery Wix is using will have to pick it up from here 🤓

Gliktch avatar May 27 '25 04:05 Gliktch

Hmm... Weirdly, after removing static.wixstatic.com (setting back to default), clearing browser cache and reloading the silverton site, now that dynamic content is still showing up (albeit it did take a good ~5secs). That is with those three wix domains mentioned above still disallowed, and the rest of what's listed in the dropdown (parastorage.com, google.com, sentry-cdn.com and the top domain) all trusted.

Sorry, it seems I've not got this as nailed down as I first thought... If I get time later tonight I'll try to do some isolation testing and see if we can't get a lock on it. 😅👍️

Gliktch avatar May 27 '25 05:05 Gliktch