navigator.sendBeacon blocked

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: navigator.sendBeacon blocked

Re: navigator.sendBeacon blocked

by therube » Fri Dec 27, 2019 10:08 pm

Since we're here, & since we now have it, in layman's terms, just what does "sendBeacon" do (or not do, before) & how was one affected by it (before or now). As in what does one see or not see, impacted or not, when sendBeacon is blocked, or allowed?

https://developer.mozilla.org/en-US/doc ... sendBeacon

Re: navigator.sendBeacon blocked

by musonius » Thu Dec 26, 2019 9:18 pm

Re: navigator.sendBeacon blocked

by barbaz » Sat Oct 05, 2019 1:31 am

Someone reported this on Github - https://github.com/hackademix/noscript/issues/88

I disagree with the solution proposed by that reporter. Those reclassifications are counter-intuitive and don't address the actual problem: the preset customisations have no checkbox for "ping", which means NoScript silently blocks stuff with no way to allow it!

The real solution is to just add the missing "ping" type checkbox to the permission customisation options.

Re: navigator.sendBeacon blocked

by kevinoid » Fri Oct 04, 2019 5:35 pm

I just ran into this issue on Firefox 69.0.1 with NoScript 11.0.3. It appears that NoScript still has the undocumented non-configurable behavior of blocking navigator.sendBeacon on all sites, Trusted or otherwise.

Additionally, if navigator.sendBeacon is to be blocked, could the function either be deleted from the navigator object (like older browsers and Firefox with beacon.enabled = false in about:conifg) or return false (like Firefox if the request fails CORS checks) or throw (like Chrome if the request fails CORS)? That way sites can fall back to XHR/fetch (e.g. for unhandled error reporting, which is how I discovered this behavior).

Thanks for considering,
Kevin

navigator.sendBeacon blocked

by max-m » Wed Apr 25, 2018 6:00 pm

Hello,

the function navigator.sendBeacon(url, data) is being blocked by NoScript.

NoScript: 10.1.7.5
Firefox: 59.0.2

Steps to reproduce:
Run navigator.sendBeacon('/SOMETHING_RECOGNIZABLE', {}) on any site (via the browser console or directly as script on the page).
sendBeacon will return true (indicating successful queuing of the request) but the network tab won't show any beacon request.
With NoScript disabled the beacon request is being sent immediately and logged in the network tab (it also works on unload).
This can also be confirmed by looking at the server logs if done on a site controlled by yourself.

Probable cause (after a quick grep through the extension):
NoScript has multiple definitions of the different permission types.
The bg/RequestGuard.js defines the type ping for beacons and pings. This type is not present in the UI or common/Policy.js.
My attempt of adding "ping" to the Permissions.ALL object and setting custom permissions for my website (the NoScript UI now had a new, unlabled checkbox) made it work via the browser console at least, but not via window.addEventListener("unload", ...).

Top