NoScript's "Attempt to fix JavaScript links" feature

While doing some testing with default settings I don't normally use, I noticed bizarre network requests. I tracked them back to NoScript's "Attempt to fix JavaScript links" feature. When I load this page and it is NOT whitelisted in NoScript:

Code:

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Fix Javascript Links Test</title>
<script type="text/javascript">
var user = 'DefaultUser';
function setUser(u)
{
   user = u;
}
function showUser()
{
   alert('User = ' + user);
}
</script>
</head>
<body>
<button type="button" onclick="setUser('User1');">Set User = User1</button>
<button type="button" onclick="setUser('User2');">Set User = User2</button>
<button type="button" onclick="navigator.sendBeacon('http://site2.example/beacon', user);">sendBeacon User</button>
<button type="button" onclick="showUser();">Show User</button>
</body>
</html>

and then click on the first three buttons in sequential order, here is what my webserver sees:

Code:

1) HTTP request to site.example: HEAD /User1 (404)

2) HTTP request to site.example: HEAD /User2 (200)
3) HTTP request to site.example: GET /User2 (200)

4) HTTP request to site2.example: GET /beacon (200)

Seems like there is a "try it with HEAD, if that works GET it" approach to what it thinks are partial URL strings. Note that sendBeacon must POST, and at least sometimes involves preflight, and it isn't a top level request that would change the page. So the results were incorrect even in that case.

This feature could be useful in various scenarios, but it also seems a bit risky.

 

So do you think it's better to deselect NoScript's "Attempt to fix JavaScript links" ?

 

I lean towards disabling it so as to eliminate the chance, probably slim, of a "fix" being incorrect for the context and in some way causing an undesired consequence. I haven't really thought it through and/or studied the code though. I glanced at the source and spotted what looked like the beginning... if(this.getPref("fixLinks"))... in noscriptService.js. At some point I hope to have time to walk through it.

Conceptually, it may be the case that it spares some users from going on to whitelist a site with javascript threats that are without question a problem. So even if there are actual cases where the fix consequences would be undesireable, there is a potential upside to weigh.

Frankly, I would have posted in the NoScript forum just to see what was said, but past experiences were that my browser configuration doesn't play well with the config and I don't feel like spending time on that.

 

I've had problems on their forum logging in or posting unless NoScript is disabled. Seems a little odd. It's been awhile since aI tried it though so I can't say what it's like now.

Thanks for bringing this to our attention. I've disabled mine. If I make something untrusted, that's exactly what I mean.