10.1.6.4 XHR Request to php form

[skriptimaahinen]

NoScript appears to block XHR Request to a php form.

The example code below simply throws an error event.

Code: Select all

function onLoad () {
  console.log(this.responseText);
}
var req = new XMLHttpRequest();
req.addEventListener("load", onLoad);
req.open("POST", "form.php");
var formData = new FormData();
formData.append("q", "example");
req.send(formData);

However this code does return a response:

Code: Select all

function onLoad () {
  console.log(this.responseText);
}
var req = new XMLHttpRequest();
req.addEventListener("load", onLoad);
req.open("POST", "page.html");
req.send();

I have tried running the code as contentscript and from the console. In both cases calling the php form only works if NoScript is disabled or set to allow "script" and "fetch".

PS: Why is using

Code: Select all

XMLHttpRequest

in the text or title without code-tags triggering spam-filter?

[barbaz]

calling the php form only works if NoScript is disabled or set to allow "script" and "fetch".

Sounds like expected behavior. You should need "script" permission for the domain containing that code, and "fetch" permission for the target domain of the XHR.

Can you please clarify what the bug is here?

[skriptimaahinen]

With "contentscript" I ment script injected by webextension and with "console" the developer tools console. As far as I understand, neither should be affected by CSP or NoScript and the XHR Request is the only part of the script that is failing. Rest of the script (and the latter example) run well even without the privileges.

Note that this is most likely not a same-origin issue as the php script is in the same domain as the page itself.

[skriptimaahinen]

Well, this is interesting - found from "RSS Feeds Broken"-thread: (https://forums.informaction.com/viewtop ... c30#p95749)

OK, I've just tried to add the http://www.gamespot.com/feeds/news/ and http://www.polygon.com/rss/index.xml as live bookmarklets, and they did load fine.
I've also tried forcing them to reload ("Reload live bookmark"), just to rule out any cache side effect, and watched them reload in the browser console (reported as XHR loads).
What I suspect is that you've removed the "fetch" permission from DEFAULT of whatever preset (CUSTOM?) you're using for those sites.
The fetch preset is needed for live bookmarks to load, and that's the main reason why it's included in the DEFAULT preset. Furthermore, no "normal" website could abuse of this permission without having the "script" permission as well, therefore the DEFAULT preset (with "fetch" but no "script") just lets the browser (whose internal scripts are privileged) to spawn its background request, without giving untrusted web pages any extra power.

And indeed setting just "fetch" (but not "script") to allowed in DEFAULT fixes the XHR Request. So maybe this is intended behaviour, but nevertheless quite confusing...