https://noscript.net/getit#devel wrote:v 2.6.9.14rc1
=============================================================
+ Restored noscript.forbidXHR functionality trying to make it
more web-compatible (thanks barbaz for RFE)
Origin header: CORS and the Fetch standard
Re: Origin header: CORS and the Fetch standard
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20100101 Firefox/17.0
Re: Origin header: CORS and the Fetch standard
The Fetch standard is vast and apparently does encompass JS-less requests such as those from HTML and CSS. It supports CORS and the Origin header.
This can improve security, but it's awful for privacy unless Firefox respects referrer preferences, which it won't. If I understand correctly, any image request could potentially leak origin if Firefox or NoScript leave the Origin header alone and websites start to make use of Fetch all over the place.
I could be part wrong but it's at least worth investigating further. Like, am I the only one to see a problem here ?
This can improve security, but it's awful for privacy unless Firefox respects referrer preferences, which it won't. If I understand correctly, any image request could potentially leak origin if Firefox or NoScript leave the Origin header alone and websites start to make use of Fetch all over the place.
I could be part wrong but it's at least worth investigating further. Like, am I the only one to see a problem here ?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0