Open Bug 1825989 Opened 2 years ago Updated 2 years ago

CSS scripting media feature has incorrect value when JavaScript is disabled via the uBlock Origin add-on

Categories

(Core :: CSS Parsing and Computation, defect)

Firefox 113
defect

Tracking

()

People

(Reporter: sime.vidas, Unassigned)

References

Details

Attachments

(1 file)

Attached file test-page.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0

Steps to reproduce:

  1. Use Firefox Nightly with uBlock Origin add-on
  2. Open the attached test page
  3. Disable JavaScript via uBO, either globally in uBO’s settings or for the current website via uBO’s popup dialog (the </> button)
  4. Reload the page

Actual results:

The page should say “(scripting: none) is true”

Expected results:

The page still says “(scripting: none) is false”

The Bugbug bot thinks this bug should belong to the 'Core::CSS Parsing and Computation' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → CSS Parsing and Computation
Product: Firefox → Core

AFAICT uBlock does that by basically adding <meta http-equiv="Content-Security-Policy" content="script-src 'none';"/>, so I suppose it's technically on and supported, just prevented from loading (Setting javascript.enabled to false in about:config does change the result).

I think the most relevant part of the spec is here: "Some user agents have the ability to turn off scripting support on a per script basis or per domain basis, allowing some, but not all, scripts to run in a particular document. The scripting media feature does not allow fine grained detection of which script is allowed to run. In this scenario, the value of the scripting media feature should be enabled or initial-only if scripts originating on the same domain as the document are allowed to run, and none otherwise."

So technically I think it's to-spec (Note on spec does mention refining the spec to allow a more find-grained detection).

Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true

I disagree that the quoted spec text is related to this issue. uBlock Origin (uBO) can block scripts “on a per script basis or per domain basis”. That is true. But uBO can also disable JavaScript completely for a specific website. Blocking specific scripts and disabling JavaScript are two different things.

The fact that uBO uses CSP to disable all JavaScript is a problem. It would be better if the web extensions API provided a direct way for extensions to disable JavaScript for the current page.

But this doesn’t change the fact that the user is disabling JavaScript. The user isn’t blocking some scripts. The user is disabling JavaScript completely.

When JavaScript is disabled, whether it’s done via about:config or via an extension, CSS (scripting: none) should match. If it doesn’t, then it doesn’t work reliably, and web developers will ignore it. If most users disable JS via an extension, and only a small number of users disables JS via about:config, then websites will not use (scripting: none) to detect when JS is disabled because it won’t be true for most of their JS-disabling visitors.

Agreed on the distinction really not mattering for users & web devs. Suggested spec change regarding this is here.

I use the JavaScript Toggle On and Off addon, and this too makes use of CSP to turn off JS as needed - and is therefore also ignored by the CSS scripting media query. I think most developers will find CSS scripting unreliable, if one of the most common ways of turning off JS (via an extension) is ignored by this new feature.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: