Page MenuHomePhabricator

Certain edit links on de.wp redirect to Main Page due to "NoScript"
Closed, InvalidPublic

Description

On certain pages on dewiki, clicking “Edit” (source, not Visual) redirects me to the wiki’s Main Page. For instance:

On these pages, adding ?action=purge to the link has the same effect.

The problem doesn’t happen from another browser profile when I’m not logged in.

Event Timeline

DSGalaktos raised the priority of this task from to Needs Triage.
DSGalaktos updated the task description. (Show Details)
DSGalaktos added a subscriber: DSGalaktos.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 9 2015, 10:42 AM

More specifically, the redirect is HTTP 301: Moved Permanently.

If I log in from another browser profile, I don’t experience this bug, so I suspect my session in my main browser profile is somehow borked. I’ll try keeping that session alive, so that we have some way of reproducing this bug.

Which web browser and version is this about? (Wondering if Opera is involved.)
Also, do you use the Avast antivirus software by any chance? (As there were recently problems.)

Cannot reproduce the problem with Firefox 40 on Linux.

Aklapper renamed this task from Certain edit links redirect to Main Page to Certain edit links on de.wp redirect to Main Page.Sep 11 2015, 1:56 PM
Aklapper set Security to None.

Firefox 42.0a2 (2015-08-18), i. e. current Developer Edition, on Linux. But as I said, when I log in from a second browser profile (same browser), I can’t reproduce it either, so it’s probably specific to my current session. (I can still reproduce it in my main profile.)

Oh, interesting. I did a restart with Add-Ons disabled, and started in Safe Mode (whatever that does), and now I don’t get redirected. (I’m still logged in, so the session should be the same.)

I’ll try to find out if it’s a particular browser plug-in.

@Ciencia_Al_Poder I don’t think so, I don’t use Opera…

The issue seems to be caused by NoScript. Disabling and Enabling NoScript removes and restores the problem.

However, NoScript doesn’t report any blocked scripts (I allowed wikipedia.org and wikimedia.org), so I’m not sure why this is happening. But for some reason, when I open the link

https://de.wikipedia.org/w/index.php?title=Friedrich_II._(Preu%C3%9Fen)&action=edit

I see this request in the Network Panel instead:

https://de.wikipedia.org/#44456304639908995763

which redirects to the Main Page.

So this is probably a bug in NoScript…

Aklapper renamed this task from Certain edit links on de.wp redirect to Main Page to Certain edit links on de.wp redirect to Main Page due to "NoScript".Sep 13 2015, 8:47 PM
Aklapper closed this task as Invalid.

Glad you found the reason!
Closing this task as invalid as NoScript behavior is out of control of Wikimedia.

Hey, not so fast, I didn’t even file a bug there yet :(

Can anyone else reproduce this with NoScript?

I can reproduce with NoScript on https://de.wikipedia.org/w/index.php?title=Friedrich_II._(Preu%C3%9Fen)&action=edit
But disallowing certain url's with special characters is part of a NoScript feature against cross-site scripting and not a bug - unless false positives by an aggressive filter is considered a bug.

See https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_%28technical%29&oldid=682074906#Redirect_to_Commons_on_one_issue
and https://noscript.net/faq#qa4_2

The issue could sometimes be avoided by producing different url's but I don't think MediaWiki should do this just to circumvent a feature in a browser add-on.

Interesting, thank you very much for that information. I didn’t know NoScript did that kind of protection.

So it looks like this is actually intended behavior for NoScript, even though there’s nothing cross-site going on here (it’s a link from de.wikipedia.org to de.wikipedia.org):

Cross-site requests from a trusted site to a different trusted site are checked through the InjectionChecker engine, which is more accurate and sanitizes only requests which contain conspicuous fragments of HTML or syntactically valid JavaScript.

Friedrich_II._(Preußen) is a legal JavaScript invocation expression: Friedrich_II is a valid JavaScript identifier. . is a member operator. _ is another valid identifier. (…) is an argument list, to form a function invocation. And I guess Preußen or Preu%C3%9Fen looks like a suspicious argument to NoScript – blocked.