[tbb-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 28 11:41:29 UTC 2017


#21034: Per site security settings?
--------------------------------------+--------------------------
 Reporter:  arthuredelstein           |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:  #20843                    |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by arthuredelstein):

 Replying to [comment:13 gk]:
 > So, I am inclined to resolve this as `WONTFIX` due to the UX nightmare
 at least. But for now let's assume we implement this indeed how is the
 implementation supposed to behave in the following scenario:
 >
 > 0) By default the user is in "medium" mode.
 > 1) In tab 1 one has foo.com open. A user does not like to have "medium"
 mode here but says: "For this site I want to have high security because I
 am scared" and adapts that accordingly.
 > 2) In tab 2 bar.com is open which is per default (see 0)) above in
 "medium" mode. But bar.com includes an iframe pointing to foo.com.
 >
 > Now the question is: what are the security settings for stuff loaded in
 the iframe? Is it "medium" because it is embedded in bar.com and bar.com
 is the site you are in contact with? Is it "high" because one said in 1)
 for foo.com the rule is "high"? If the latter how does one cope with
 broken sites and the problem that one is actually dealing with *sites* and
 not particular elements embedded in it? If the former why do we have per
 site security settings at all?

 When I opened this ticket, I was envisioning the former (sorry this wasn't
 clearly stated). So maybe, strictly speaking, the proposed feature should
 be called "per-first-party security settings" instead of "per-site
 security settings".

 Already, a first-party domain is ultimately responsible for everything
 loaded in a page, including third-party scripts and iframes. And some
 first-party domains are more trustworthy than others.

 For example, I sometimes keep Tor Browser on the "high security" setting
 by default. Sometimes I need to lower the security level for a particular
 HTTPS site because it is otherwise unusable. In that case, I have
 determined that I trust the site not to embed a shady third-party iframe.
 Unfortunately, currently, in order to lower the security setting of that
 site, I need to lower the security setting for all sites. This is
 obviously dangerous and also potentially risks cross-site linking.

 As far as UX is considered, my thinking would be to have security setting
 button next to the URL bar, similar to the NoScript button. The button's
 dropdown menu would have the title "Security setting for this page" with
 the three options (Low, Medium, High). In fact, it might be possible to
 hide the NoScript button altogether, because the "Temporarily allow all
 this page" menu option is more or less redundant in this situation.

 Having a separate content process for each first-party not only would make
 this possibly feasible, but it would also reduce the risk that exploits
 can link one tab to another.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21034#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list