Page 2 of 2
Re: Origin header: CORS and the Fetch standard
Posted: Thu Feb 12, 2015 1:44 am
by barbaz
https://noscript.net/getit#devel wrote:v 2.6.9.14rc1
=============================================================
+ Restored noscript.forbidXHR functionality trying to make it
more web-compatible (thanks barbaz for RFE)
Re: Origin header: CORS and the Fetch standard
Posted: Wed Feb 18, 2015 7:24 pm
by bgmnt
The
Fetch standard is vast and apparently does encompass JS-less requests such as those from HTML and CSS. It supports CORS and the Origin header.
This can improve security, but it's awful for privacy unless Firefox respects referrer preferences, which it won't. If I understand correctly, any image request could potentially leak origin if Firefox or NoScript leave the Origin header alone and websites start to make use of Fetch all over the place.
I could be part wrong but it's at least worth investigating further. Like, am I the only one to see a problem here ?