By default, NoScript is configured to check cross-site requests for XSS, per the following about:config preference ...
noscript.injectionCheck
0 - never check
1 - check cross-site requests from temporary allowed sites
2 - check every cross-site request (default)
3 - check every request
However, I have found that the default setting does not respect the Mozilla same-origin policy (https://developer.mozilla.org/en-US/doc ... JavaScript) -- NoScript does not differentiate origin based upon the protocol (and presumably doesn't differentiate based upon the port) as it should.
Exploit scenario:
1) User types "examplebank.com" (without "https://") into their URL bar, knowing they will be redirected to the secure site, which they confirm upon page load
2) A man-in-the-middle is able to impersonate the non-secure version of examplebank.com, and silently redirects the user to the secure site, but with a XSS injection appended to the URL
3) User enters their credentials, under the impression that the page is secure and was protected from XSS
noscript.injectionCheck
0 - never check
1 - check cross-site requests from temporary allowed sites
2 - check every cross-site request (default)
3 - check every request
However, I have found that the default setting does not respect the Mozilla same-origin policy (https://developer.mozilla.org/en-US/doc ... JavaScript) -- NoScript does not differentiate origin based upon the protocol (and presumably doesn't differentiate based upon the port) as it should.
Exploit scenario:
1) User types "examplebank.com" (without "https://") into their URL bar, knowing they will be redirected to the secure site, which they confirm upon page load
2) A man-in-the-middle is able to impersonate the non-secure version of examplebank.com, and silently redirects the user to the secure site, but with a XSS injection appended to the URL
3) User enters their credentials, under the impression that the page is secure and was protected from XSS