InformAction Forums

Hi,

I usually run my own code in the javascript console associated to certain web pages for which NoScript is configured to block everything but frames. Recently I had the need to perform requests via XHR/fetch and discovered that they are intercepted and blocked by NoScript. I noticed that the requests do work if I allow the "fetch" capability.

Questions:

1. Why does that happen? Is the code I enter in the console perhaps being injected into the web-page context such that NoScript is unable to distinguish it from third-party code?

2. Is it "safe" to allow the "fetch" capability so that it can be used (only) by my own code? I define "safe" as "NoScript continues to deny all capabilities (except frames, as previously noted), including scripting, for the web-page itself".

Thank you.

Yes, if you use the console attached to a certain web page Firefox creates fetch (and XHR) requests which "belong" to the page, and therefore there's no way for NoScript to distinguish them based on their origin.
Furthermore, Firefox do so in the background when fetching data pertaining those domains, e.g. in order to retrieve RSS feeds updates.
That's the reason why the factory settings for the DEFAULT preset includes the fetch capability (some "contextual" browser features could be silently broken otherwise).
On the other end, this is a completely safe compromise, because the web page itself cannot use neither fetch nor XHR if scripts are not allowed.
So you probably just want to re-enable the fetch capability in the DEFAULT preset, the way it was.

Hi Mr. Maone.

Thanks for the explanation! Now I finally understand why "fetch" is enabled by default.

Hm. I guess NoScript cannot distinguish these requests because it is sitting on the fence as a kind of request firewall and the browser is not giving enough information about the original motive for the request, or the "agent" who initiated (I suppose the "thirdParty" property of the "details" argument to the "onBeforeRequest" handler is not useful in this case, right?).

Thanks.

dnolan wrote: ↑Tue Oct 06, 2020 9:24 am I guess NoScript cannot distinguish these requests because it is sitting on the fence as a kind of request firewall and the browser is not giving enough information about the original motive for the request, or the "agent" who initiated (I suppose the "thirdParty" property of the "details" argument to the "onBeforeRequest" handler is not useful in this case, right?).

Spot on.