InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Trust for WebSocket vs. other "fetch"

https://forums.informaction.com/viewtopic.php?t=27393

Page 1 of 1

Trust for WebSocket vs. other "fetch"

Posted: Sun Apr 05, 2026 9:09 pm
by barbaz
https://noscript.net/getit/#recent-development-history wrote:v 13.6.15.901
============================================================
[...]
x Block websocket connections where the fetch capability is
disabled (thanks Security Research Labs for report)
Nice to see NoScript can control WebSockets separately now! This is a much more convenient way of default-denying WebSocket connections 8-)

Since XHR and Fetch API are basically just script-driven requests, whereas WebSockets are a more persistent connection with more bidirectional communication, I've been thinking of WebSockets as requiring more trust than XHR/fetch(). But NoScript grouping WebSockets under the same "fetch" permission (instead of creating a separate "websocket" permission) suggests that my thinking is incorrect? What am I missing?

Re: Trust for WebSocket vs. other "fetch"

Posted: Sun Apr 05, 2026 10:09 pm
by Giorgio Maone
This change is a part of an in-depth 3rd party security review NoScript is currently undergoing.

I agree that a separate websocket capability would be more useful, and I'm likely to add it before next stable release.

Additionally, both fetch and websocket, given their nature, will allow the communication to happen only if the permission is granted both to the origin and to destination.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited