InformAction Forums

NoScript has had a tickbox marked "Forbid META redirections inside <NOSCRIPT> elements" which only applies to untrusted sites. Considering that there are allow/forbid <a ping...> options on both the untrusted and trusted tabs, that has to mean that the meta stuff only applies to untrusted sites. Which contradicts what is said elsewhere on this forum, and I am not sure corresponds with behaviour I have seen by NoScript.

Please can you clarify what NS will block on the annoying redirection or refresh fronts? And perhaps if it does not work properly just remove the feature. Something like that is best implemented in a stand-alone browser extension anyway - meta refreshes and HTTP header responses have nothing to do with javascript.

One site with annoying refreshes is informaction.com, a dangerous hacking site!!!11!! A newspaper told me that the noxious keyboard fumes that can be used to steal children over the internet were developed by this site, so be careful1!!á!¬é!

The page http://forums.informaction.com/ucp.php?mode=activate&u=23080&k=S5P27G8EV2
contained the following:
<meta http-equiv="refresh" content="3;url=http://forums.informaction.com/index.php?sid=dc002becbd78514f7e9596ce759b44f4" />

After logging in, this page:
http://forums.informaction.com/ucp.php?mode=login
contained the following:
<meta http-equiv="refresh" content="3;url=http://forums.informaction.com/posting.php?mode=reply&f=10&t=5595&sid=7797199bad79b48f4e7217fbe1bc3f4d" />

The above refreshes were not within <noscript> tags and JS was not allowed, so that actually seems to fit with what NS is set to do. Why have such a specific option though? Surely when people use this option they want to reign in all refreshing and redirection and shit, not just the specific situation where a webmaster makes a page that redirects with JS, but meta refreshes for those with JS disabled (ie, they use <noscript> tags)? If a webmaster makes a page that has both a meta refresh and a JS refresh, then the annoying behaviour occurs and NS cannot do anything about it! Please just remove this half-feature and if there isn't an alternative perhaps rustle up a dedicated redirection restriction tool. Though NoRedirect on AMO looks like it might be OK.

Some Google things seem to try and redirect or refresh, and NoScript seems to intercept them. I don't use Google's services much as they are just a bunch of data-rapists these days, so I can't say for certain where I have seen it. Maps and images, probably.

These might be relevant settings from about:config:
noscript.forbidBGRefresh;1
noscript.forbidBGRefresh.exceptions;.mozilla.org (now deleted, I do not want to waste resources and jeopardise my security by having workarounds on my system. Features are desirable (to a point, cf feature creep), but political decisions about which sites by default will face restrictions and which ones won't is not welcome. NS suffers from this problem in a big way).
noscript.forbidMetaRefresh;true
noscript.forbidMetaRefresh.remember;false? What does this one do too, it doesn't seem obvious.
noscript.nselNoMeta;true
noscript.forbidMetaRefresh.notify;false

Do these have any bearing?
noscript.jsredirectFollow;false
noscript.jsredirectForceShow;false
noscript.jsredirectIgnore;false

I'm on Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.17) Gecko/20110302 SeaMonkey/2.0.12 and NoScript v2.0.9.9.

First of all, hello and welcome "I've just registered and logged in, but now I am not? Is this site incompatible with TOR users?".

I've just registered and logged in, but now I am not? Is this site incompatible with TOR users? wrote:Why have such a specific option though? Surely when people use this option they want to reign in all refreshing and redirection and shit, not just the specific situation where a webmaster makes a page that redirects with JS, but meta refreshes for those with JS disabled (ie, they use <noscript> tags)? If a webmaster makes a page that has both a meta refresh and a JS refresh, then the annoying behaviour occurs and NS cannot do anything about it! Please just remove this half-feature and if there isn't an alternative perhaps rustle up a dedicated redirection restriction tool.

I believe this feature is meant for cases where the meta refresh would be used to redirect to sorry-I'm-afraid-I-can't-let-you-surf-here-without-JS pages.

Can JS over rule what a meta tag tells the browser to do, or make the browser ignore certain meta tags?

A page might have a meta tag to send non-js users to a you-need-js-page, but then use JS to disable that meta tag so JS-enabled users do not get redirected. That is essentially the same as putting the meta tag in <noscript>s, but if possible then there will be sites doing it the complicated way (a million monkeys, and all that).

A page could also have a meta refresh with a time out of a couple of seconds, and a JS function to send users to the site's content immediately upon the page's loading. That is a likely to go wrong every now and again for JS-enabled users, but I think we've all seen websites that have clearly been developed on a LAN or localhost with no thought as to the realities of the internet (packet loss, low bandwidth, different browsing environments, etc.).

If that "feature is meant for cases where the meta refresh would be used to redirect to sorry-I'm-afraid-I-can't-let-you-surf-here-without-JS pages", then there are loopholes in the security/annoyance-stopping feature.

And if there are ways to dodge NoScript, then sooner or later the web-slime will try it. Annoyances are one thing, but trackers and advertisers are not welcome at all in my browsers. One of the things that separates the web from TV is that the user is potentially in so much more control of the experience, and tools such as NoScript help make that a reality. I think that is why I find the defaults in NoScript a bit bitter.

A user-empowering tool like NoScript on a TV would be great - no banners telling us what's up next, no DOGs/bugs, no "press the red button". Of course, TV has all those things to keep people watching and for brand identity, and because they can do it, but I actually don't give a shit about those things - they get in the way of what I am trying to watch. Given half a chance, the web would become like TV, but due to the technicalities of it users can empower themselves if they choose to. If they listen to the loud commercial voices, they will probably choose not to though (and will buy into using web applications on modern day dumb terminals, via such limited internet access that it makes the original AOL look extensive ("Youtube AND Facebook? WOW!"). Add on some fake artificial scarcity in the form of download limits (eg 10GB), and really things are no more than a 21st century TV).

Heh, got mildly side-tracked there. Now I've had a quick a look at http://noscript.net/features#options it does say

Forbid META redirections inside <noscript> elements, which are often used to send the unwilling user to a dumb "Please enable JavaScript" page. Notice that this option may interfere with the RefreshBlocker extension.

This fits with what you say, though that means there could be loop holes in that feature though.

I have just noticed something else odd about The Feature. With JS off and NS forbidding meta redirections, if you go from an AMO extension page to an external site they send you through their tracking system but you see a page linking you to the external site. Looking at the source of one such page (eg http://outgoing.mozilla.org/v1/035913b2 ... script.net ), the line <meta http-equiv="refresh" content="0;url=http://noscript.net"> is not actually within <noscript></noscript> tags. The page uses <noscript> tags to set the page's content to visible "for the misguided souls without javascript". That quote is from a comment in the source, code written by someone at an organisation who's biggest funder makes most of their money from advertising. Yes, we must be the misguided ones!


And I was just offered this captcha!

Google wants us to use not only the Latin alphabet, but also Greek? Damn, we have to justify ourselves more and more to these machines! I am a fucking human, OK Google?