<noscript><meta http-equiv=Refresh> should not force https with NoScript #21
Description
test.html:
<noscript>
<meta http-equiv="Refresh" content="0;URL=http://example.com/">
Open http://localhost:8000/test.html (or wherever you host it) with scripts blocked by NoScript (either untrusted or default policy with active content blocked).
Expected result:
http://example.com/ (scheme http) should be opened
Actual result:
https://example.com/ (scheme https) is opened.
Versions:
Firefox 59.0.1
HTTPS by default 0.4.5
NoScript 10.1.7.5
Additional information:
it seems that the redirect is indistinguishable from a URL as entered in the location bar. Contents of details from onBeforeRequest:
{
"requestId": "61",
"url": "http://example.com/",
"method": "GET",
"type": "main_frame",
"timeStamp": 1522833130652,
"frameId": 0,
"parentFrameId": -1,
"proxyInfo": null,
"ip": null,
"frameAncestors": [],
"tabId": 7
}When visiting a URL (example.com) from the location bar, the details changes to:
@@ -1,13 +1,13 @@
{
- "requestId": "61",
- "url": "http://example.com/",
+ "requestId": "72",
+ "url": "http://example.net/",
"method": "GET",
"type": "main_frame",
- "timeStamp": 1522833130652,
+ "timeStamp": 1522833147688,
"frameId": 0,
"parentFrameId": -1,
"proxyInfo": null,
"ip": null,
"frameAncestors": [],
- "tabId": 7
+ "tabId": 8
}