[tbb-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 28 11:53:29 UTC 2017

#21034: Per site security settings?
 Reporter:  arthuredelstein           |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:  #20843                    |         Points:
 Reviewer:                            |        Sponsor:

Comment (by gk):

 Replying to [comment:14 arthuredelstein]:
 > Replying to [comment:13 gk]:
 > > So, I am inclined to resolve this as `WONTFIX` due to the UX nightmare
 at least. But for now let's assume we implement this indeed how is the
 implementation supposed to behave in the following scenario:
 > >
 > > 0) By default the user is in "medium" mode.
 > > 1) In tab 1 one has foo.com open. A user does not like to have
 "medium" mode here but says: "For this site I want to have high security
 because I am scared" and adapts that accordingly.
 > > 2) In tab 2 bar.com is open which is per default (see 0)) above in
 "medium" mode. But bar.com includes an iframe pointing to foo.com.
 > >
 > > Now the question is: what are the security settings for stuff loaded
 in the iframe? Is it "medium" because it is embedded in bar.com and
 bar.com is the site you are in contact with? Is it "high" because one said
 in 1) for foo.com the rule is "high"? If the latter how does one cope with
 broken sites and the problem that one is actually dealing with *sites* and
 not particular elements embedded in it? If the former why do we have per
 site security settings at all?
 > When I opened this ticket, I was envisioning the former (sorry this
 wasn't clearly stated). So maybe, strictly speaking, the proposed feature
 should be called "per-first-party security settings" instead of "per-site
 security settings".

 But the user in my example clearly indicated they want to have foo.com in
 "high" mode. Like clearly, clearly, because they are scared about that
 particular domain. That wish is not dependent on any other site embedding
 foo.com nor on any other site doing so on any security level. What I am
 trying to say is: making security decisions based on the URL bar domain
 does not work. The malware from foo.com you are afraid of does not care if
 there is first-party isolation on or off. It just needs *one way* to get
 to you. I believe users are aware of that and expecting that a security
 slider that defends them against that takes this into account.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21034#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list