[tbb-dev] Proposal for redesigning the security controls

Tom Ritter tom at ritter.vg
Tue Feb 6 05:37:39 UTC 2018

On 1 February 2018 at 19:33, Arthur D. Edelstein
<arthuredelstein at gmail.com> wrote:
> 1. A current problem we have with NoScript is that it does not respect
> first-party isolation (FPI), which is both a security and privacy
> issue. For example, if I set the Security Settings to Medium, and
> visit youtube.com, and click on the NoScript button to unblock media
> from YouTube.com, then embedded YouTube videos are now unblocked on
> all other websites. The same goes for more subtle things like Google
> Analytics scripts. So I'd propose we try to get FPI working for
> NoScript unblocking, similar to our enforcement of FPI for Permissions
> from #21569. That's especially important if we emphasize that controls
> in the URL bar or the Permissions door-hanger are intended for
> per-site use.

Oof, yea NoScript should get FPI treatment.

> 2. The Security Slider is also quite dangerous if used for per-site
> purposes. If a user decides they want to visit A.com at "Low" Security
> and B.com at "High" Security, they have to be very careful not to
> accidentally expose B.com to "Low" Security. A simple click of the
> back button could result in a mistake. Or, if the user has multiple
> tabs or windows open, and they switch the Security Slider, because of
> the current tab, they apply the new security setting to all open tabs,
> which could result in accidental unwanted exposure to dangerous
> content in background tabs.
> Therefore, I'm wondering if putting the Security Slider on the toolbar
> might actually increase the danger for some users by encouraging its
> frequent use. A possibly safer approach could be to display the global
> Security Slider either embedded in the about:tor page, or in a prompt
> at startup. That way we can force users to make a one-time decision
> for the global setting and discourage them from changing it repeatedly
> while they browse.
> Yet another approach could be to invoke "New Identity" whenever
> Security Settings are changed, such that all tabs are closed and a new
> empty window is opened before the new global setting takes effect. (Of
> course users would need to be warned and given the option to cancel.)

Why not make the security slider per-site?  Have a default slider
setting, and a per-first-party override.

Glancing things over, engineering-wise it looks like it'd mostly be
not-that-difficult plumbing. I mean you probably couldn't bang it out
in a week, but maybe a couple? The hardest part is trying to do it in
such a way that it becomes upliftable....

I'm pretty sure this has been discussed before, but I guess I forget
where the discussion went...


More information about the tbb-dev mailing list