Hello,
the function navigator.sendBeacon(url, data) is being blocked by NoScript.
NoScript: 10.1.7.5
Firefox: 59.0.2
Steps to reproduce:
Run navigator.sendBeacon('/SOMETHING_RECOGNIZABLE', {}) on any site (via the browser console or directly as script on the page).
sendBeacon will return true (indicating successful queuing of the request) but the network tab won't show any beacon request.
With NoScript disabled the beacon request is being sent immediately and logged in the network tab (it also works on unload).
This can also be confirmed by looking at the server logs if done on a site controlled by yourself.
Probable cause (after a quick grep through the extension):
NoScript has multiple definitions of the different permission types.
The bg/RequestGuard.js defines the type ping for beacons and pings. This type is not present in the UI or common/Policy.js.
My attempt of adding "ping" to the Permissions.ALL object and setting custom permissions for my website (the NoScript UI now had a new, unlabled checkbox) made it work via the browser console at least, but not via window.addEventListener("unload", ...).
navigator.sendBeacon blocked
navigator.sendBeacon blocked
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Re: navigator.sendBeacon blocked
I just ran into this issue on Firefox 69.0.1 with NoScript 11.0.3. It appears that NoScript still has the undocumented non-configurable behavior of blocking navigator.sendBeacon on all sites, Trusted or otherwise.
Additionally, if navigator.sendBeacon is to be blocked, could the function either be deleted from the navigator object (like older browsers and Firefox with beacon.enabled = false in about:conifg) or return false (like Firefox if the request fails CORS checks) or throw (like Chrome if the request fails CORS)? That way sites can fall back to XHR/fetch (e.g. for unhandled error reporting, which is how I discovered this behavior).
Thanks for considering,
Kevin
Additionally, if navigator.sendBeacon is to be blocked, could the function either be deleted from the navigator object (like older browsers and Firefox with beacon.enabled = false in about:conifg) or return false (like Firefox if the request fails CORS checks) or throw (like Chrome if the request fails CORS)? That way sites can fall back to XHR/fetch (e.g. for unhandled error reporting, which is how I discovered this behavior).
Thanks for considering,
Kevin
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Re: navigator.sendBeacon blocked
Someone reported this on Github - https://github.com/hackademix/noscript/issues/88
I disagree with the solution proposed by that reporter. Those reclassifications are counter-intuitive and don't address the actual problem: the preset customisations have no checkbox for "ping", which means NoScript silently blocks stuff with no way to allow it!
The real solution is to just add the missing "ping" type checkbox to the permission customisation options.
I disagree with the solution proposed by that reporter. Those reclassifications are counter-intuitive and don't address the actual problem: the preset customisations have no checkbox for "ping", which means NoScript silently blocks stuff with no way to allow it!
The real solution is to just add the missing "ping" type checkbox to the permission customisation options.
*Always* check the changelogs BEFORE updating that important software!
-
Re: navigator.sendBeacon blocked
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Re: navigator.sendBeacon blocked
Since we're here, & since we now have it, in layman's terms, just what does "sendBeacon" do (or not do, before) & how was one affected by it (before or now). As in what does one see or not see, impacted or not, when sendBeacon is blocked, or allowed?
https://developer.mozilla.org/en-US/doc ... sendBeacon
https://developer.mozilla.org/en-US/doc ... sendBeacon
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.5