On Thu, Feb 8, 2018 at 12:41 AM, Georg Koppen gk@torproject.org wrote:
""" What I am trying to say is: making security decisions based on the URL bar domain does not work. The malware from foo.com you are afraid of does not care if there is first-party isolation on or off. It just needs *one way* to get to you. I believe users are aware of that and expecting that a security slider that defends them against that takes this into account. """
I hear what you're saying here, but I don't think this reasoning applies to NoScript as it is actually used in Tor Browser (or any similar implementation of per-domain blocking).
Currently, if I have the global security slider set to Medium or High, then I use the NoScript menu to *unblock* resources that were blocked by default. I believe enforcing FPI on such *unblocking* decisions will not harm security. That is: if I decide to unblock thirdparty.com under A.com, then thirdparty.com will remain blocked under B.com, but there is no additional exploit exposure.
Whereas, with the global security slider at Low Security, everything is already unblocked by default, so I don't have a use for the NoScript menu. There is no useful way to make per-site *blocking* decisions. (Deciding to block content that already ran doesn't protect me against exploits!) So, while enforcing FPI on the user's per-domain blocking decisions would harm security in principle, such per-domain security upgrades aren't practical.
Therefore, it seems to me that FPI causes no harm to security for real use cases, at least for any model like the current one, where users choose a global default security level and then make per-site security downgrades only (no upgrades). Of course if that's the model we adopt going ahead, then the UI could enforce that model better.
Now, a user making exceptions for particular domains and particular active content is already exposing themselves to tracking because they are leaving one of the slider levels. So, I guess you suggest to not stop the privacy problem but just to make it a bit less bad with FPI of NoScript as far as the privacy argument is concerned?
I think the lack of FPI in NoScript can be a significant detriment to privacy. And it breaks our general FPI policy that users expect. With FPI, the harm from departing from a slider level will be very minimal because it doesn't permit cross-site tracking. What remains is only a very weak tracking of users by their behavior across return visits to the same site.