<noscript> is ignored when uMatrix blocks JavaScript

[rkoe]

If JavaScript is blocked by uMatrix, <noscript>-sections are ignored. This breaks several webpages, e.g. Google image search, and other sites which offer an alternative non-JavaScript-version. So, if I use uMatrix for blocking JavaScript, I have to enable JavaScript on many sites which would work fine without JavaScript. :(
Similar problems were described in #260 and #292, and #232 looks related.

I think the right way would be to execute the <noscript>-sections if JavaScript is disabled/blocked by uMatrix. Is this possible with uMatrix?

I would love it if this would be possible with uMatrix, since I then wouldn't need NoScript anymore.

Current workaround: Use NoScript to block JavaScript; then, <noscript>-tags work. (But I would like to use uMatrix, since it's easier to use, has a better user-interface, and is a one-tool-for-all-tool.)

How to reproduce:

• Setup: Firefox with installed uMatrix and NoScript
• (u) Block scripts by uMatrix -> <noscript> does not work:
  Set "Allow scripts globally" in NoScript, effectively disabling NoScript. Now, <noscript>-contents are ignored, and e.g. Google image search shows a blank page.
• (n) Block scripts by NoScript -> <noscript> works:
  Set "Forbid scripts globally" in NoScript. Now, NoScripts blocks JavaScript and <noscript>-contents work.

Examples:

• http://linkmauve.fr/files/ublock.xhtml/ - This should always show either "Using <noscript/>" or "Using <script/>". When JS is blocked/allowed by NoScript (n), this works; when JS is blocked by uMatrix (u), an empty page is shown.
• https://www.google.de/search?q=test&tbm=isch - This is a shortened URL of a google-image search. If JS is blocked by NoScript (n), the browser is redirected to a non-JavaScript-version, and the Google image-search can be used without JavaScript. If JS is blocked by uMatrix (u), only an empty page is shown, and I have to enable JavaScript to use the Google image search.

[ghost]

gorhill/uBlock#308 (comment)

[c-mart]

Has this situation changed in the past year? I would really like to switch from NoScript to uMatrix!
Unfortunately, uMatrix prevents sites from gracefully degrading to the non-JS version using <noscript> tags, which requires us to allow JS in more places than we would with NoScript. The only upshot is not seeing the "this site requires JavaScript to function" warnings. :)

It appears that there was originally an attempt to render <noscript> tags, which was removed a year ago when it was found to break Google results in Firefox.

How is NoScript doing this in a way that uMatrix cannot?

[ghost]

This looks solvable, on Chromium at least. The contentSettings.javascript API there is what determines whether <noscript> tags are run or not; right now uMatrix is just setting a blanket allow-all in it and doing fine-grained settings via injecting CSP headers, which aren't the same thing. This is correct behaviour according to the standard so we can't simply go tell the browsers to suck less.

Now, it seems obvious that the native API isn't going to work for every case or else it would've been used from the start, but I can see it working fine for simple cases where everything in a site's "script" column would be red anyway. I'm not interested in checking myself, but a similar method might work in Firefox's permissions system too. It might even end up a tiny bit more efficient if it can cause the browser to avoid pre-emptively setting up a script environment for the page.

[gorhill]

Scripts are blocked on the fly in uBO/uMatrix. contentSettings.javascript API is async.

[ghost]

@gorhill: I understand what you're saying: the browser settings only get applied one time when the tab first loads and they can't know about embedded content to whitelist in advance. But please don't dismiss it offhand for that, I wasn't asking for something impossible.

I don't mean that it should replace the current script settings, but be used in addition to them. The CSP-based filtering code doesn't need to change at all; as long as the browser whitelist contains (at least) every domain scope that's whitelisted in the extension for active content (including *) it should continue to function the same as it does now.

It might behave slightly differently — that's the whole point of the bug report — but I can't think of any situations where it'd add breakage except contrived ones (like whitelisting a site that relies entirely on self-contained onclick handlers, and then trying to use it without reloading). It'd make it a little harder for pages to detect when someone has this installed, too.

(If I'm being dumb and this really is impossible for some reason, can we at least have an option to unlock the browser JS settings and do it manually?)

[gorhill]

I wasn't asking for something impossible.

My opinion on this is simple: if you have an idea, work on it to make the case that it works.

[pmaziere]

Just an idea thrown without any knowledge of the uMatrix internals: if there is a way to check that scripts have been intercepted by uMatrix for a given page, why not simply grab the inner html of this page noscript tags, insert it before the noscript tag and then delete the noscript tag ?

[gorhill]

Browsers ignore noscript tags when javascript is blocked through a Content Security Policy header.

[pmaziere]

'ignore' like 'do not include them in the DOM' so that there is no way to have access to their content ?
So the only solution would be for uMatrix to re-download the raw HTML of the page, locate and extract the noscript tag content to reinject it in the at the right place in the DOM…

[gorhill]

There are not parsed, they are discarded.

The real solution was implemented before, I removed it when I refactored HTTPSB -- it had its own quirks.

[gorhill]

I am going to revive the original code to spoof noscript tags.

It will however be a per-scope switch: for the noscript tags to be spoofed, the following conditions will have to be met:

• 1st-party script must be blocked
• The noscript-spoof switch must be enabled

By default the noscript-spoof switch is disabled, so that the current behavior of uMatrix is not modified. noscript tags do not always contain desirable content, hence it's best to let users opt-in with a per-scope switch.

As with other per-scope switches, there will be a default state in the Settings pane in the dashboard.

[gorhill]

Fixed with 9d43f92.

[rkoe]

Thanks! =)

[gorhill]

Another quirk to fix: the automatic redirection won't work if the URL is not absolute, I need to fix this for next release.

[grumpygeek]

Be careful with allowing meta refresh. That was used by that famous hacker guy after he got out of prison and I've tried to keep it blocked ever since. If it is default block, allow on selected trusted sites, as I think you're planning, then I think that is generally OK (except for when a site gets hacked by dudes like him).

[gorhill]

The meta refresh will be triggered only if 1st-party scripts are blocked and the <noscript>-spoofing switch is enabled. It is currently disabled by default.

[baptx]

@grumpygeek I did not hear this story :D Do you have a link to share?

[grumpygeek]

Don't want to hijack Gorhill's thread. Also want to avoid mentioning the guy's name. So here, https://tinyurl.com/pdlzg3s