Confused on safety of allowing Fetch in Custom settings

[skkukuk]

I understand that enabling Fetch allows "other" sites to fetch from "this" site, at keast I think that is what it means. But that seems like something I would not want to do, so maybe I am confused. Hypothetically (not real site names) - and assume my default settings are nothing allowed.

I go www.mybroker.com, open up noscript settings, and see these sites:

...mybroker.com
private.mybroker.com
news.mybroker.com
somerandomsite.com
wallstdata.com

For each of these, I choose custom and allow scripts, media, and frames - but only when the top page matches ...mybroker.com

After the page refreshes, fetch is highlighted red for the some/all of the 3 mybroker.com rules, indicating fetch is needed.

So here is where I am confused. Let's say I want the scripts for subdomains of mybroker.com to be able to fetch from other mybroker.com subdomains, but I do NOT want somerandomsite.com or wallstdata.com to be able to fetch from mybroker.com (or subdomains) while I am on mybroker.com

If I enable fetch for private.mybroker.com does that allow scripts from somerandomsite.com or wallstdata.com make requests to fetch data from private.mybroker.com?

And worse (to me) if I enable fetch on ...mybroker.com, does that allow any other allowed scripts from somerandomsite.com and wallstdata.com to fetch data from mybroker.com and any of it's subdomains?

Again, keep in mind for all of these rules I will restrict them to only apply if the top site matches ...mybroker.com

I hope that all makes sense, and yes... feel free to call me paranoid as heck! Or Mr. Confused User. Or both.

Obviously, I would prefer replies from someone who really knows how this works, not from someone just guessing how it works.

Thanks!

[barbaz]

If somerandomsite.com and wallstdata.com are allowed to run scripts on a mybroker.com webpage, their scripts run in the context of the mybroker.com webpage, so any "fetch" they initiate would look the same as a fetch initiated by mybroker.com's first-party scripts.

What you're describing could be something to think about if mybroker.com embeds (i)frames of somerandomsite.com, such that the top page matches mybroker.com (so your NoScript permissions allow the "fetch") but the fetch comes from the context of somerandomsite.com. NoScript used to handle this sort of thing via ABE (which as a general-purpose CSRF defense could also handle even more things, e.g. controlling what sites could embed non-active content like images from mybroker.com), but ABE has not yet been ported to NoScript Webext (but this is still being worked on), in the mean time you can use custom uBlock Origin filters or rules.

But more generally, really, if you don't really trust "somerandomsite.com", it seems unwise to allow it any permissions on something as sensitive-sounding as "mybroker.com".

[skkukuk]

Thanks for the fast reply. What you describe is what I feared, but good to know. Maybe I should have said somerandombutrequiredsite.com, because the main site breaks without it and without fetch being allowed. I do also use uBlock rules, but filters I am less familiar with - I will look into that more.

And yeah, I really miss ABE too! Would love it if that returned and surrogates too, but uBlock does handle some of what ABE did. Again, thanks for the reminder on the uBlock filters!