Noscripts "block META redirects" can be subverted?

[access2godzilla]

Using Pale Moon (a fork of FF) 20.0.1 with Noscript set to block "META redirects inside NOSCRIPT elements", but it can be subverted.
(It will occur on FF also. Palemoon is not that much different from Firefox to alter Noscript's behaviour.)

I do not vouch for the content the URL shortener redirects to, or for the advertising links the landing page bears. It is very likely to be malicious. Visit the URL below at your own risk.

URL: lnkgt. com / bhD

Contents of the above are also available at http://pastebin.com/K9dubMwJ

Please look into the issue as soon as possible.'

[access2godzilla]

I tried to fiddle around with that file and found that Noscript will:

• block the META redirect if and only if the URL is relative:

  Code: Select all

  <meta http-equiv="refresh" content="0;url=/noscript.js">

• but allow redirection if the URL is absolute:

  Code: Select all

  <meta http-equiv="refresh" content="0;url=http://www.example.com/noscript.js">

This bug largely nullifies the "block META redirect" option, and I would request that the bug be ironed out ASAP.

[Giorgio Maone]

The problem is Firefox's parser moving the <meta> element out of the <noscript> one if the latter is inside <head> and contains text or any element which cannot be (by HTML rules) placed outside of <body>.
Therefore, if you look at the "live" DOM of the page, rather than at the static source, you'll see the <meta> element is inside <body> and outside <noscript>: that's why NoScript ignore it.
I guess I could use some heuristic to detect this situation, but since we're talking about a corner case in a usability (not a security-critical) feature I'm not sure it's worth the effort.

[Thrawn]

My question is why Firefox still follows the META tag when it's in body...

[access2godzilla]

The problem is Firefox's parser moving the <meta> element out of the <noscript> one if the latter is inside <head> and contains text or any element which cannot be (by HTML rules) placed outside of <body>.
Therefore, if you look at the "live" DOM of the page, rather than at the static source, you'll see the <meta> element is inside <body> and outside <noscript>: that's why NoScript ignore it.

But from what I can reproduce, the redirect occurs only if the URL is absolute. It suggests a bug in NS, not FF.

I guess I could use some heuristic to detect this situation, but since we're talking about a corner case in a usability (not a security-critical) feature I'm not sure it's worth the effort.

Its actually more of a pain in the ass. Sites already seem to, or will get to know of the trick (like the one above), and soon sites with ads, trackers and JS paywalls will throw out the NS users.

I know that FF can block redirects, but blocking all redirects reduces usability.

In the light of the above, I would request Giorgio to reconsider this once more.