Trust for WebSocket vs. other "fetch"

General discussion about the NoScript extension for Firefox
Post Reply
barbaz
Senior Member
Posts: 11161
Joined: Sat Aug 03, 2013 5:45 pm

Trust for WebSocket vs. other "fetch"

Post by barbaz »

https://noscript.net/getit/#recent-development-history wrote:v 13.6.15.901
============================================================
[...]
x Block websocket connections where the fetch capability is
disabled (thanks Security Research Labs for report)
Nice to see NoScript can control WebSockets separately now! This is a much more convenient way of default-denying WebSocket connections 8-)

Since XHR and Fetch API are basically just script-driven requests, whereas WebSockets are a more persistent connection with more bidirectional communication, I've been thinking of WebSockets as requiring more trust than XHR/fetch(). But NoScript grouping WebSockets under the same "fetch" permission (instead of creating a separate "websocket" permission) suggests that my thinking is incorrect? What am I missing?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0
Top
User avatar
Giorgio Maone
Site Admin
Posts: 9556
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:
Contact Giorgio Maone

Re: Trust for WebSocket vs. other "fetch"

Post by Giorgio Maone »

This change is a part of an in-depth 3rd party security review NoScript is currently undergoing.

I agree that a separate websocket capability would be more useful, and I'm likely to add it before next stable release.

Additionally, both fetch and websocket, given their nature, will allow the communication to happen only if the permission is granted both to the origin and to destination.
Mozilla/5.0 (X11; Linux x86_64; rv:150.0) Gecko/20100101 Firefox/150.0
Top
Post Reply

Return to “NoScript General”