noscript icon indicating copy to clipboard operation
noscript copied to clipboard

Published 20 hours ago verified publisher icon hackademix

sendBeacon is always blocked

Open da2x opened this issue 6 years ago • 1 comments

  1. Install NoScript but configure it to allow everything on every origin by default
  2. Open https://example.com
  3. Open your browser’s developer console
  4. Configure it to show network requests (toggle Requests in the filter bar)
  5. Execute this in the console: navigator.sendBeacon('https://clients1.google.com/generate_204', {'test': 1})
  6. Wait a few seconds.

Actual: sendBeacon returns true but then doesn’t send any requests.

Expect: either sendBeacon should return true (the request was accepted and queued) and send the network request within a few seconds, OR it should return false (the request was rejected).

Notes: sendBeacon is a generic method for sending POST requests. It should be classified the same as xmlhttprequest and fetch, and not the same as a[ping]. Or maybe reclassify xmlhttprequest->post, beacon, and ping as a new type “post“ if you really want to differentiate between retrieving and sending data.

da2x avatar Jun 20 '19 13:06 da2x

Hi @da2x , thank you for your patch. I understand your reasoning, but I'd rather prefer a "beacon" type (enabled by default on TRUSTED), because cross-site fetch is protected by CORS, while sendBeacon is not (yet) and therefore has more potential to be abused for CSRF attacks. Ping is yet another type because doesn't require scripts.

hackademix avatar Jun 07 '20 06:06 hackademix