navigator.sendBeacon blocked

Ask for help about NoScript, no registration needed to post
max-m

navigator.sendBeacon blocked

Post by max-m » Wed Apr 25, 2018 6:00 pm

Hello,

the function navigator.sendBeacon(url, data) is being blocked by NoScript.

NoScript: 10.1.7.5
Firefox: 59.0.2

Steps to reproduce:
Run navigator.sendBeacon('/SOMETHING_RECOGNIZABLE', {}) on any site (via the browser console or directly as script on the page).
sendBeacon will return true (indicating successful queuing of the request) but the network tab won't show any beacon request.
With NoScript disabled the beacon request is being sent immediately and logged in the network tab (it also works on unload).
This can also be confirmed by looking at the server logs if done on a site controlled by yourself.

Probable cause (after a quick grep through the extension):
NoScript has multiple definitions of the different permission types.
The bg/RequestGuard.js defines the type ping for beacons and pings. This type is not present in the UI or common/Policy.js.
My attempt of adding "ping" to the Permissions.ALL object and setting custom permissions for my website (the NoScript UI now had a new, unlabled checkbox) made it work via the browser console at least, but not via window.addEventListener("unload", ...).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0

kevinoid
Posts: 6
Joined: Sat Dec 02, 2017 4:11 am
Contact:

Re: navigator.sendBeacon blocked

Post by kevinoid » Fri Oct 04, 2019 5:35 pm

I just ran into this issue on Firefox 69.0.1 with NoScript 11.0.3. It appears that NoScript still has the undocumented non-configurable behavior of blocking navigator.sendBeacon on all sites, Trusted or otherwise.

Additionally, if navigator.sendBeacon is to be blocked, could the function either be deleted from the navigator object (like older browsers and Firefox with beacon.enabled = false in about:conifg) or return false (like Firefox if the request fails CORS checks) or throw (like Chrome if the request fails CORS)? That way sites can fall back to XHR/fetch (e.g. for unhandled error reporting, which is how I discovered this behavior).

Thanks for considering,
Kevin
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0

barbaz
Senior Member
Posts: 9683
Joined: Sat Aug 03, 2013 5:45 pm

Re: navigator.sendBeacon blocked

Post by barbaz » Sat Oct 05, 2019 1:31 am

Someone reported this on Github - https://github.com/hackademix/noscript/issues/88

I disagree with the solution proposed by that reporter. Those reclassifications are counter-intuitive and don't address the actual problem: the preset customisations have no checkbox for "ping", which means NoScript silently blocks stuff with no way to allow it!

The real solution is to just add the missing "ping" type checkbox to the permission customisation options.
*Always* check the changelogs BEFORE updating that important software!
-

musonius
Senior Member
Posts: 139
Joined: Sun Jul 08, 2018 5:38 pm

Re: navigator.sendBeacon blocked

Post by musonius » Thu Dec 26, 2019 9:18 pm

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0

User avatar
therube
Ambassador
Posts: 7681
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: navigator.sendBeacon blocked

Post by therube » Fri Dec 27, 2019 10:08 pm

Since we're here, & since we now have it, in layman's terms, just what does "sendBeacon" do (or not do, before) & how was one affected by it (before or now). As in what does one see or not see, impacted or not, when sendBeacon is blocked, or allowed?

https://developer.mozilla.org/en-US/doc ... sendBeacon
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.5

Post Reply