On Thu, Feb 8, 2018 at 12:48 PM Georg Koppen <gk@torproject.org> wrote:

Wait, I've never said that FPI makes security *worse*. I was arguing
against your point that we need FPI in NoScript because that *improves*
security:

"""
A current problem we have with NoScript is that it does not respect
first-party isolation (FPI), which is both a *security* and privacy
issue. (emphasis mine)
"""

Oh — I’m sorry — that’s my mistake to have mentioned security there. I’m not sure now why I said that. I actually think FPI is neutral with respect to security, but an important feature for privacy. Apologies.

So, yes, I still think *security* decisions based on the URL bar domain
do not give you the benefit you might intend. Or am I missing here a
scenario where FPI indeed improves security as you claimed?

No, I think you’re right that there’s no improvement. But FPI doesn’t necessarily imply security *decisions* based on URL bar domain. With NoScript, I can decide to unblock a video from thirdparty.com, which is a security decision based on my level of trust for that third-party domain, and introducing FPI would merely ensure that decision won’t leak to other first parties.

(Personally, I would guess it’s too difficult for users to make decisions on specific third-party domains, and it’s more realistic for users to base their trust on the first party, which is visible in the URL bar and should be held responsible for third-party malware. But that is a UX/risk issue separate from the FPI question.)