Block all scripts + Spoof <noscript> may still allow pages to redirect to "Script disabled" style dead end pages

[jcaesar]

Prerequisites

• [x] I performed a cursory search of the issue tracker to avoid opening a duplicate issue
  • Your issue may already be reported: Probably not, but may be related to https://github.com/uBlockOrigin/uMatrix-issues/issues/149
  • [x] I also searched the existing issues at https://github.com/gorhill/uMatrix/issues
• [x] This is not a support issue or a question
  • Support issues and questions are handled at /r/uMatrix
• I tried to reproduce the issue when...
  • [x] uMatrix is the only extension
  • [ ] uMatrix with default lists/settings: mostly, only * * script block was added
  • [x] using a new, unmodified browser profile
• [x] I am running the latest version of uMatrix (I hope)
• [x] I checked the documentation to understand that the issue I report is not a normal behavior (Only superficially. Doubt this would be in the docs…)
• [x] I used the logger to rule out that the issue is caused by my ruleset

Description

When scripts are entirely blocked and the "Spoof <noscript> tags when 1st-party scripts are blocked" is on, meta http-equiv="refresh" can redirect to "You have JavaScript disabled, dummy"-style pages. (Or rather: accessibility.blockautorefresh does not function).

Given that https://github.com/gorhill/uMatrix/blob/9b292304d33a44465922200efa5f8b378d0f9604/src/js/contentscript.js#L481 is being invoked, I guess this is somewhat by design. But I don't think it's desirable behaviour. It would sure be nice to get the usual firefox popup of ~"This webpage automatically redirected, we blocked, allow?".

A specific URL where the issue occurs

https://www.immowelt.de/immobilienpreise/bielefeld/wohnungspreise

The part of the page source code that's probably causing the issue:

<body>
    <!-- Tealium -->
    <script type="text/javascript">
        //<![CDATA[
        var utag_data = { "app_medienid": 0 }
            //]]>
    </script>
    <noscript>
    <meta http-equiv="refresh" content="0;url=/immobilienpreise/no-script" />
</noscript>

Steps to Reproduce

1. Grab myself a fresh profile: firejail --private firefox --no-remote
2. Install umatrix through about:addons
3. Navigate to some random page and block scripts on all pages
4. Navigate to page linked above

Ruleset

https-strict: behind-the-scene false
matrix-off: about-scheme true
matrix-off: behind-the-scene true
matrix-off: chrome-extension-scheme true
matrix-off: chrome-scheme true
matrix-off: moz-extension-scheme true
matrix-off: opera-scheme true
matrix-off: vivaldi-scheme true
matrix-off: wyciwyg-scheme true
noscript-spoof: * true
referrer-spoof: * true
referrer-spoof: behind-the-scene false
* * * block
* * css allow
* * frame block
* * image allow
* * script block
* 1st-party * allow
* 1st-party frame allow

Supporting evidence

Your environment

• uMatrix version: uMatrix 1.4.0
• Browser Name and version: Firefox 77.0.1
• Operating System and version: Gentoo Linux. Version e^(-iπ)

[uBlock-user]

http-equiv="refresh" is inside the noscript node and you have Spoof

Add noscript-spoof: immowelt.de false to my Rules.

[jcaesar]

I'm sorry, maybe I misunderstood the intention of noscript-spoof. I thought turning that on would nullify the content of noscripts? [Edit:] I re-read https://github.com/gorhill/uMatrix/wiki/How-to-block-1st-party-scripts-everywhere-by-default#noscript-tags for the fifth time: Spoof here refers to that Javascript isn't actually turned off, and that the behavior of javascript being turned off is spoofed in the context of noscript tags. Meh. I wonder if that could be said more clearly. Either way, see below:

In either case, if I open a page with http-equiv="refresh", I get a before being redirected (given that accessibility.blockautorefresh is on). If anything, that being gone is the bug I want to report.

[uBlock-user]

I thought turning that on would nullify the content of noscripts?

No, quite the opposite, read -- https://github.com/gorhill/uMatrix/wiki/Per-scope-switches#spoof-noscript-tags

Anyways, add that rule and you won't get redirected anymore.

[jcaesar]

No, quite the opposite, read -- https://github.com/gorhill/uMatrix/wiki/Per-scope-switches#spoof-noscript-tags

Should I add a paragraph on what spoof-noscript actually does? (My text understanding is sometimes a bit weak, please tell me if it's already written and I'm just being blind…)

Suggestion: "This feature is most useful to users who block 1st-party scripts by default. Enabling this setting will additionally render the content of <noscript> tags, which would otherwise be ignored since scripts are not fully disabled from a browser perspective."

Anyways, add that rule and you won't get redirected anymore.

I mean, yes. But how do I know that I was redirected due to a noscript tag and have to add this rule to the page scope? I'd sure prefer not having to go through the source code every time and just get the nagbar ("Firefox prevented this page from automatically reloading") from the screenshot above.

(So, uuh, I kind of don't agree with the close… umatrix breaks some good behavior from Firefox here.)

[uBlock-user]

how do I know that I was redirected due to a noscript tag and have to add this rule to the page scope? I'd sure prefer not having to go through the source code every time

Disable the switch globally. Dashboard > Settings > Spoof

umatrix breaks some good behavior from Firefox here.

what behaviour ?

[gorhill]

Should I add a paragraph on what spoof-noscript actually does?

I find the documentation is clear enough, I prefer to keep it as is.

[gorhill]

Though I am against to keep adding text to the documentation, would using Render instead of Spoof make it more clear?

[jcaesar]

Though I am against to keep adding text to the documentation, would using Render instead of Spoof make it more clear?

Yes, that would be nice. Maybe also in the settings pane?

what behaviour ?

Getting this bar: on top of the page before being redirected. Then again, I looked around a bit more, and it seems like this is default off now, and it cannot be turned on through the normal Preferences screen anymore. So yeah, maybe that's too niche to worry about supporting it.

[uBlock-user]

on top of the page before being redirected. Then again, I looked around a bit more, and it seems like this is default off now, and it cannot be turned on through the normal Preferences screen anymore. So yeah, maybe that's too niche to worry about supporting it.

As said, the meta node is placed inside the noscript node, so it doesn't work in Firefox. They're basically exploiting noscript node. This is something you may want to file on BMO. Not a uMatrix issue, uMatrix is merely honouring Spoof

[jcaesar]

I'm not sure what exactly I would file on BMO (I assume that is bugzilla.mozilla.org?) Especially, I have no idea what you mean by "so it doesn't work in Firefox". What are you suggesting isn't working?