HTTPSB's fixNoscriptTags() doesn't fix noscripts

[my-password-is-password]

1. Disable HTTPSB
2. Block Javascript in Chrome's Content Setting ( chrome://settings/content )
3. Visit wired.com

You can see that there are images shown which are inside the noscript tag.

1. Allow Javascript in Chrome's Content Setting
2. Enable HTTPSB ( BA/AX )
3. Visit wired.com

The function fixNoscriptTags() didn't force the DOM Parser to parse the noscript tag. If you inpsect the noscript element you will see Its still text.

A workaround would be to replace the noscript tag with a div that parses the children of the noscript, only if scripts are blacklisted.

Trying to learn to use github. I forked it to try and mess around. Here's my workaround.
my-password-is-password@a93530d

I still don't know how to use github so forgive me if I'm getting in your way. :)

[gorhill]

fixNoscriptTags() works for the bug which is referenced in the comment: the content of the <noscript> tags was rendered as text rather than as HTML, over the content of the page. That was ugly.

The problem you report here is of a different breed. It appears that when using Content Security Policy to block javascript, the browser doesn't render as if javascript was disabled (which would cause <noscript> tags to render properly, it rather throws an error when there is javascript to execute.

[gorhill]

I can't look at the fix right now, give me time I will look later.

[my-password-is-password]

No problem. You don't have look at my fix. Its probably the wrong way to do it. You know what you're doing and you're on another level. I'm just messing around.

[gorhill]

Can you submit a pull request, I want to pull your code in the project.

Also, before you do, you can get rid of the now obsolete (commented out) fixNoscriptTags, given that using CSP causes the <noscript> tags to not be rendered anymore, hence https://code.google.com/p/chromium/issues/detail?id=232410 can't happen anymore.

The behavior you fixed is not actually a bug in <noscript> given javascript isn't disabled from the browser point of view, just forbidden to execute, so you could also revise the comment "Bugged Noscript Workaround" to "Unrendered Noscript (because CSP) Workaround" or whatever.

Thanks for contributing, much appreciated. More contributions welcomed at any time.

[gorhill]

Fixed in pull request #180.

[my-password-is-password]

Umm... This <noscript> thing was a stupid idea. I think you mentioned these 1x1 pixels images somewhere and it seems that's all <noscript> is used for. That wired.com was a bad example of how <noscript> is used.

I checked Firefox's NoScript setting and <noscript> elements are hidden by default for untrusted sites.

Before I found HTTPSB, I used ScriptSafe for Chromium and it also had <noscript> disabled/removed by default.

So I think the way you had it before was better. Parsing <noscript> is a waste of time.

Sorry gorhill

[gorhill]

There is nothing wrong, HTTPSB will block these 1x1 pixel image (or likes) anyways. I like that they are reported, I dislike that these would be removed without the user being informed they existed. That's what HTTPSB is about, showing what a web page tried to do.

I checked with Wired yesterday and I saw only legit images, so I don't think Wired is wrong. I will check again today to see.

[gorhill]

In your first picture, you where on www.yahoo.com? If so, then the matrix will show images pulled from:

• csc.beap.bc.yahoo.com: 1st-party, blocked by HTTPSB with OOB blacklists.
• ad.doubleclick.net: 3rd-party, blocked by HTTPSB with OOB blacklists.
• sb.scorecardresearch.com: 3rd-party, blocked by HTTPSB with OOB blacklists.

Etc.

I want the user to know that the web page tried to pulled data from blocked 1st- and 3rd parties. This is the whole point: an informed user.

Now not all 1x1 pixel images are bad. There are many of them on Wired I saw today, and it's for the purpose of "lazy loading", i.e. they want the images to load after the main page has fully loaded and is in idle mode, in order to make their page load faster.

[gorhill]

Just to show you how "hiding" is a bad solution. I went to Firefox + Noscript, and checked the option Hide <NOSCRIPT> elements. Activated Firebug's "Net" tab, went to https://www.yahoo.com: the csc.beap.bc.yahoo.com 1-pixel image was actually downloaded. "Hiding" is not the proper solution, the proper solution is to have it reported in the matrix (whether blocked or not by HTTPSB), so that the user knows it exists, and can act upon it. In any case, these trackers are most likely blocked by out-of-the-box HTTPSB blacklists, and if not the fact that it is reported in the matrix will allow the user to block it if he wishes to.

[gorhill]

There, why your fix is good:

Before your fix, what was reported:

After your fix, what is reported:

In both cases, the tracking images are not pulled by the browser, but now at least the matrix shows a more accurate overview of what the web page is doing, or trying to do.

[my-password-is-password]

Ok, i see now.

Its just that I saw ads on yahoo inside the <noscript> and thought for a second that HTTPSB wasn't working. But it was yahoo hosting the ads on s.yimg.com with the rest of their images. I don't want your users thinking HTTPSB doesn't help block ads.