Closed jcaesar closed 4 years ago
http-equiv="refresh"
is inside the noscript
node and you have Spoof activated so uMatrix is doing what's it's supposed to.
Add noscript-spoof: immowelt.de false
to my Rules.
I'm sorry, maybe I misunderstood the intention of noscript-spoof
. I thought turning that on would nullify the content of noscript
s? [Edit:] I re-read https://github.com/gorhill/uMatrix/wiki/How-to-block-1st-party-scripts-everywhere-by-default#noscript-tags for the fifth time: Spoof here refers to that Javascript isn't actually turned off, and that the behavior of javascript being turned off is spoofed in the context of noscript tags. Meh. I wonder if that could be said more clearly. Either way, see below:
In either case, if I open a page with http-equiv="refresh"
, I get a
before being redirected (given that
accessibility.blockautorefresh
is on). If anything, that being gone is the bug I want to report.
I thought turning that on would nullify the content of noscripts?
No, quite the opposite, read -- https://github.com/gorhill/uMatrix/wiki/Per-scope-switches#spoof-noscript-tags
Anyways, add that rule and you won't get redirected anymore.
No, quite the opposite, read -- https://github.com/gorhill/uMatrix/wiki/Per-scope-switches#spoof-noscript-tags
Should I add a paragraph on what spoof-noscript actually does? (My text understanding is sometimes a bit weak, please tell me if it's already written and I'm just being blind…)
Suggestion: "This feature is most useful to users who block 1st-party scripts by default. Enabling this setting will additionally render the content of <noscript>
tags, which would otherwise be ignored since scripts are not fully disabled from a browser perspective."
Anyways, add that rule and you won't get redirected anymore.
I mean, yes. But how do I know that I was redirected due to a noscript tag and have to add this rule to the page scope? I'd sure prefer not having to go through the source code every time and just get the nagbar ("Firefox prevented this page from automatically reloading") from the screenshot above.
(So, uuh, I kind of don't agree with the close… umatrix breaks some good behavior from Firefox here.)
how do I know that I was redirected due to a noscript tag and have to add this rule to the page scope? I'd sure prefer not having to go through the source code every time
Disable the switch globally. Dashboard > Settings > Spoof
umatrix breaks some good behavior from Firefox here.
what behaviour ?
Should I add a paragraph on what spoof-noscript actually does?
I find the documentation is clear enough, I prefer to keep it as is.
Though I am against to keep adding text to the documentation, would using Render instead of Spoof make it more clear?
Though I am against to keep adding text to the documentation, would using Render instead of Spoof make it more clear?
Yes, that would be nice. Maybe also in the settings pane?
what behaviour ?
Getting this bar:
on top of the page before being redirected.
Then again, I looked around a bit more, and it seems like this is default off now, and it cannot be turned on through the normal Preferences screen anymore. So yeah, maybe that's too niche to worry about supporting it.
on top of the page before being redirected. Then again, I looked around a bit more, and it seems like this is default off now, and it cannot be turned on through the normal Preferences screen anymore. So yeah, maybe that's too niche to worry about supporting it.
As said, the meta
node is placed inside the noscript
node, so it doesn't work in Firefox. They're basically exploiting noscript
node. This is something you may want to file on BMO. Not a uMatrix issue, uMatrix is merely honouring Spoof setting.
I'm not sure what exactly I would file on BMO (I assume that is bugzilla.mozilla.org?) Especially, I have no idea what you mean by "so it doesn't work in Firefox". What are you suggesting isn't working?
Prerequisites
* * script block
was addedDescription
When scripts are entirely blocked and the "Spoof
<noscript>
tags when 1st-party scripts are blocked" is on,meta http-equiv="refresh"
can redirect to "You have JavaScript disabled, dummy"-style pages. (Or rather:accessibility.blockautorefresh
does not function).Given that https://github.com/gorhill/uMatrix/blob/9b292304d33a44465922200efa5f8b378d0f9604/src/js/contentscript.js#L481 is being invoked, I guess this is somewhat by design. But I don't think it's desirable behaviour. It would sure be nice to get the usual firefox popup of ~"This webpage automatically redirected, we blocked, allow?".
A specific URL where the issue occurs
https://www.immowelt.de/immobilienpreise/bielefeld/wohnungspreise
The part of the page source code that's probably causing the issue:
Steps to Reproduce
firejail --private firefox --no-remote
about:addons
Ruleset
Supporting evidence
Your environment