Tue Sep 26 22:23:34 UTC 2017

#22501: Requests via javascript: violate FPI
Comment (by pospeselr):

 So the problem here is NoScript with 'noscript.global' preference enabled
 (hence why only happens when in Medium or Higher security setting).

 When an <a> element is clicked and the href attribute starts with
 'javascript:' NoScript tries to heuristically extract a URI from the
 source by looking for a string between " or ' characters that does not
 contain invalid URI characters (
 ) and uses that as the href string instead, passing this new href on to an
 XMLHttpRequest at which point everything happens as normal.

 It will interpret the href as relative to the document's URI, unless the
 href is itself an absolute URL (per https://developer.mozilla.org/en-
 US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIIOService#newURI() ).

 This has some really cool consequences such that this <a> element will go
 to github when clicked with NoScript enabled:

 <a href="javascript:/* code from 'http://www.github.com' */

 proof: https://pste.eu/p/pWdf.html

