[tbb-dev] Proposal for redesigning the security controls
Arthur D. Edelstein
arthuredelstein at gmail.com
Fri Feb 9 00:32:40 UTC 2018
On Thu, Feb 8, 2018 at 3:08 PM, Arthur D. Edelstein
<arthuredelstein at gmail.com> wrote:
> In general, login status can affect exploit risk significantly, so
> allowing blocking decisions to leak between login and non-login sites
> appears to be a security issue. If we modify NoScript to respect FPI,
> then that problem is averted.
Another variant might be: a government wants to deliver an exploit to
everyone anonymously visiting a particular (first-party) site, say
embarrassing-government-secrets.com. They again force a popular CDN
provider, such as ajax.googleapis.com, to provide the exploit via a
third-party script for that site specifically. Again, High Security
users who have already unblocked that CDN under another,
non-controversial first party such as stackoverflow.com are vulnerable
in the absence of FPI. So that's an example where the risk of
unblocking a third-party script depends on the trust a user has in the
first-party domain.
More information about the tbb-dev
mailing list