Arthur D. Edelstein:
On Thu, Feb 8, 2018 at 12:41 AM, Georg Koppen gk@torproject.org wrote:
""" What I am trying to say is: making security decisions based on the URL bar domain does not work. The malware from foo.com you are afraid of does not care if there is first-party isolation on or off. It just needs *one way* to get to you. I believe users are aware of that and expecting that a security slider that defends them against that takes this into account. """
I hear what you're saying here, but I don't think this reasoning applies to NoScript as it is actually used in Tor Browser (or any similar implementation of per-domain blocking).
Currently, if I have the global security slider set to Medium or High, then I use the NoScript menu to *unblock* resources that were blocked by default. I believe enforcing FPI on such *unblocking* decisions will not harm security. That is: if I decide to unblock thirdparty.com under A.com, then thirdparty.com will remain blocked under B.com, but there is no additional exploit exposure.
Whereas, with the global security slider at Low Security, everything is already unblocked by default, so I don't have a use for the NoScript menu. There is no useful way to make per-site *blocking* decisions. (Deciding to block content that already ran doesn't protect me against exploits!) So, while enforcing FPI on the user's per-domain blocking decisions would harm security in principle, such per-domain security upgrades aren't practical.
Therefore, it seems to me that FPI causes no harm to security for real use cases, at least for any model like the current one, where users choose a global default security level and then make per-site security downgrades only (no upgrades). Of course if that's the model we adopt going ahead, then the UI could enforce that model better.
Wait, I've never said that FPI makes security *worse*. I was arguing against your point that we need FPI in NoScript because that *improves* security:
""" A current problem we have with NoScript is that it does not respect first-party isolation (FPI), which is both a *security* and privacy issue. (emphasis mine) """
So, yes, I still think *security* decisions based on the URL bar domain do not give you the benefit you might intend. Or am I missing here a scenario where FPI indeed improves security as you claimed?
Georg