navigator.sendBeacon blocked

Ask for help about NoScript, no registration needed to post
max-m

navigator.sendBeacon blocked

Post by max-m » Wed Apr 25, 2018 6:00 pm

Hello,

the function navigator.sendBeacon(url, data) is being blocked by NoScript.

NoScript: 10.1.7.5
Firefox: 59.0.2

Steps to reproduce:
Run navigator.sendBeacon('/SOMETHING_RECOGNIZABLE', {}) on any site (via the browser console or directly as script on the page).
sendBeacon will return true (indicating successful queuing of the request) but the network tab won't show any beacon request.
With NoScript disabled the beacon request is being sent immediately and logged in the network tab (it also works on unload).
This can also be confirmed by looking at the server logs if done on a site controlled by yourself.

Probable cause (after a quick grep through the extension):
NoScript has multiple definitions of the different permission types.
The bg/RequestGuard.js defines the type ping for beacons and pings. This type is not present in the UI or common/Policy.js.
My attempt of adding "ping" to the Permissions.ALL object and setting custom permissions for my website (the NoScript UI now had a new, unlabled checkbox) made it work via the browser console at least, but not via window.addEventListener("unload", ...).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0

kevinoid
Posts: 6
Joined: Sat Dec 02, 2017 4:11 am
Contact:

Re: navigator.sendBeacon blocked

Post by kevinoid » Fri Oct 04, 2019 5:35 pm

I just ran into this issue on Firefox 69.0.1 with NoScript 11.0.3. It appears that NoScript still has the undocumented non-configurable behavior of blocking navigator.sendBeacon on all sites, Trusted or otherwise.

Additionally, if navigator.sendBeacon is to be blocked, could the function either be deleted from the navigator object (like older browsers and Firefox with beacon.enabled = false in about:conifg) or return false (like Firefox if the request fails CORS checks) or throw (like Chrome if the request fails CORS)? That way sites can fall back to XHR/fetch (e.g. for unhandled error reporting, which is how I discovered this behavior).

Thanks for considering,
Kevin
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0

barbaz
Senior Member
Posts: 9227
Joined: Sat Aug 03, 2013 5:45 pm

Re: navigator.sendBeacon blocked

Post by barbaz » Sat Oct 05, 2019 1:31 am

Someone reported this on Github - https://github.com/hackademix/noscript/issues/88

I disagree with the solution proposed by that reporter. Those reclassifications are counter-intuitive and don't address the actual problem: the preset customisations have no checkbox for "ping", which means NoScript silently blocks stuff with no way to allow it!

The real solution is to just add the missing "ping" type checkbox to the permission customisation options.
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply