[RESOLVED] "fetch" capability exclusively for code entered in the console

Ask for help about NoScript, no registration needed to post
dnolan
Posts: 11
Joined: Wed Nov 23, 2016 9:11 am

[RESOLVED] "fetch" capability exclusively for code entered in the console

Post by dnolan » Mon Oct 05, 2020 12:20 pm

Hi,

I usually run my own code in the javascript console associated to certain web pages for which NoScript is configured to block everything but frames. Recently I had the need to perform requests via XHR/fetch and discovered that they are intercepted and blocked by NoScript. I noticed that the requests do work if I allow the "fetch" capability.

Questions:

1. Why does that happen? Is the code I enter in the console perhaps being injected into the web-page context such that NoScript is unable to distinguish it from third-party code?

2. Is it "safe" to allow the "fetch" capability so that it can be used (only) by my own code? I define "safe" as "NoScript continues to deny all capabilities (except frames, as previously noted), including scripting, for the web-page itself".

Thank you.
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

User avatar
Giorgio Maone
Site Admin
Posts: 8954
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: "fetch" capability exclusively for code entered in the console

Post by Giorgio Maone » Mon Oct 05, 2020 2:28 pm

Yes, if you use the console attached to a certain web page Firefox creates fetch (and XHR) requests which "belong" to the page, and therefore there's no way for NoScript to distinguish them based on their origin.
Furthermore, Firefox do so in the background when fetching data pertaining those domains, e.g. in order to retrieve RSS feeds updates.
That's the reason why the factory settings for the DEFAULT preset includes the fetch capability (some "contextual" browser features could be silently broken otherwise).
On the other end, this is a completely safe compromise, because the web page itself cannot use neither fetch nor XHR if scripts are not allowed.
So you probably just want to re-enable the fetch capability in the DEFAULT preset, the way it was.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0

dnolan
Posts: 11
Joined: Wed Nov 23, 2016 9:11 am

Re: "fetch" capability exclusively for code entered in the console

Post by dnolan » Tue Oct 06, 2020 9:24 am

Hi Mr. Maone.

Thanks for the explanation! Now I finally understand why "fetch" is enabled by default.

Hm. I guess NoScript cannot distinguish these requests because it is sitting on the fence as a kind of request firewall and the browser is not giving enough information about the original motive for the request, or the "agent" who initiated (I suppose the "thirdParty" property of the "details" argument to the "onBeforeRequest" handler is not useful in this case, right?).

Thanks.
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

User avatar
Giorgio Maone
Site Admin
Posts: 8954
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: "fetch" capability exclusively for code entered in the console

Post by Giorgio Maone » Tue Oct 06, 2020 9:37 am

dnolan wrote:
Tue Oct 06, 2020 9:24 am
I guess NoScript cannot distinguish these requests because it is sitting on the fence as a kind of request firewall and the browser is not giving enough information about the original motive for the request, or the "agent" who initiated (I suppose the "thirdParty" property of the "details" argument to the "onBeforeRequest" handler is not useful in this case, right?).
Spot on.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0

Post Reply