Randomly EmojiOne XSS popup appears

[rugk]

BTW the actual bug here is no XSS: It is just a broken request containing the string "{". And because of that string, NoScript categorizes it as XSS.

[Pansa]

Each modern browser uses JavaScript everywhere. In the DevTools, in the settings page, etc. That's just how you develop things… And as long as these pages are still sandboxed (and not elevated inm contrast to usual pages) that's not really bad.
I mean nowadays we even have whole desktop applications out of JavaScript & co (Electron).

I didn't question using Javascript.
Although the incessant use of it is exactly the reason why we are HERE, specifically...
I mean, curtailing code being run (often without any upside to us or our experience...) is kind of why we are in this forum about this addon.
Even though you probably don't really agree, seeing that your core wish last week was just nilly willy to run every and anything as long as the source is someone who managed to buy a certificate....

My problem is with unasked for and unwarranted 3rd party trust. I have a serious beef with transitive trust. Just because I trust you in general, or have to trust you, doesn't mean you can trust someone else FOR me without at least giving me a choice. And this is why I find XSS in general suspect.

And I get it, MOST of the times it will be benign, but I see no problem with false positives if they are informative.
And I question whether it is actually properly sanitized if the "failed script" on the websites end gets delivered so far, that no-script can trigger off of script elements, even if it turns out to be harmless in THIS case.

This is why I argued that it is not a no-script bug. If FF thinks it's ok to grab that, and not sanitize it properly, then I believe it's more than ok for Noscript to trigger. Worst case I break something visually on my end.
And given the overall exchange, including the "well look at it when you reload, it CAN'T be those parts" although the page demonstrably refreshes on firefox restart and grabs fresh content from the web, just not on every reload... I find that slightly worrying in terms of "doing analysis".
It grabs new content after it asked the sources it considered whether there is something new. If there is not, it's only natural that it uses what it already cached.

And btw apparently I'm not the only one who might see some problem in how the highlights are handled.
https://bugzilla.mozilla.org/show_bug.cgi?id=1410920
It's different, but boils down to something similar in terms of "why do I automatically ask a random page I visited for data again?"