[tbb-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Mar 29 16:56:11 UTC 2017


#21034: Per site security settings?
--------------------------------------+--------------------------
 Reporter:  arthuredelstein           |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:  #20843                    |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by jonathanfemideer):

 Replying to [comment:18 gk]:
 > Replying to [comment:16 jonathanfemideer]:
 > > Replying to [comment:13 gk]:
 > > > Is it "high" because one said in 1) for foo.com the rule is "high"?
 > >
 > > Again, the answer here is, "No," and again this is because the user is
 viewing, within one tab, content from ''both'' sites.
 >
 > I am confused about that one because reading the other parts of your
 response leads me to assume you meant "Yes". The context of the quote you
 took is the *iframe* and not the whole site. Or did I misunderstand your
 position?

 Good catch! Sorry for my mistake. You are quite right that the context you
 were asking about in the portion of your question that I quoted was the
 '''iframe''' in that tab, not the whole site, the whole page, or the whole
 content of the tab. Let me try again :)

 > > > But for now let's assume we implement this indeed how is the
 implementation supposed to behave in the following scenario:
 > > >
 > > > 0) By default the user is in "medium" mode.
 > > > 1) In tab 1 one has foo.com open. A user does not like to have
 "medium" mode here but says: "For this site I want to have high security
 because I am scared" and adapts that accordingly.
 > > > 2) In tab 2 bar.com is open which is per default (see 0)) above in
 "medium" mode. But bar.com includes an iframe pointing to foo.com.
 > > >
 > > > Now the question is: what are the security settings for stuff loaded
 in the iframe? Is it "medium" because it is embedded in bar.com and
 bar.com is the site you are in contact with?
 > >
 > > The answer here is, "No," because of the false premise, "''bar.com is
 '''the''' site you are in contact with''". This premise is false because
 the user in your example is viewing, within one tab, content from ''both''
 sites.
 > >
 > > > Is it "high" because one said in 1) for foo.com the rule is "high"?
 > >

 The answer here is, "Yes."

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21034#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list