On 1 February 2018 at 19:33, Arthur D. Edelstein arthuredelstein@gmail.com wrote:
- A current problem we have with NoScript is that it does not respect
first-party isolation (FPI), which is both a security and privacy issue. For example, if I set the Security Settings to Medium, and visit youtube.com, and click on the NoScript button to unblock media from YouTube.com, then embedded YouTube videos are now unblocked on all other websites. The same goes for more subtle things like Google Analytics scripts. So I'd propose we try to get FPI working for NoScript unblocking, similar to our enforcement of FPI for Permissions from #21569. That's especially important if we emphasize that controls in the URL bar or the Permissions door-hanger are intended for per-site use.
Oof, yea NoScript should get FPI treatment.
- The Security Slider is also quite dangerous if used for per-site
purposes. If a user decides they want to visit A.com at "Low" Security and B.com at "High" Security, they have to be very careful not to accidentally expose B.com to "Low" Security. A simple click of the back button could result in a mistake. Or, if the user has multiple tabs or windows open, and they switch the Security Slider, because of the current tab, they apply the new security setting to all open tabs, which could result in accidental unwanted exposure to dangerous content in background tabs.
Therefore, I'm wondering if putting the Security Slider on the toolbar might actually increase the danger for some users by encouraging its frequent use. A possibly safer approach could be to display the global Security Slider either embedded in the about:tor page, or in a prompt at startup. That way we can force users to make a one-time decision for the global setting and discourage them from changing it repeatedly while they browse.
Yet another approach could be to invoke "New Identity" whenever Security Settings are changed, such that all tabs are closed and a new empty window is opened before the new global setting takes effect. (Of course users would need to be warned and given the option to cancel.)
Why not make the security slider per-site? Have a default slider setting, and a per-first-party override.
Glancing things over, engineering-wise it looks like it'd mostly be not-that-difficult plumbing. I mean you probably couldn't bang it out in a week, but maybe a couple? The hardest part is trying to do it in such a way that it becomes upliftable....
I'm pretty sure this has been discussed before, but I guess I forget where the discussion went...
-tom