Does "Revoke Temporary Permissions" affect every tab?

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Does "Revoke Temporary Permissions" affect every tab?

Re: Does "Revoke Temporary Permissions" affect every tab?

by Giorgio Maone » Thu Jun 28, 2018 9:16 pm

FranL wrote:Are there any plans to add such an option?
It was one of the most hated features in NoScript "Classic" (mostly because of the performance implications and the potential disruption of ongoing work), so as an option it's probably low priority.

Re: Does "Revoke Temporary Permissions" affect every tab?

by FranL » Thu Jun 28, 2018 3:55 pm

Thanks, Giorgio. That clarifies my understanding.

I don't always remember to reload the other tabs after I revoke temporary permissions. An option to auto-reload all affected tabs would be ideal. Are there any plans to add such an option?

Re: Does "Revoke Temporary Permissions" affect every tab?

by Giorgio Maone » Wed Jun 27, 2018 4:37 pm

FranL wrote:Consider this sequence of events:
  • User switches to tab B and interacts with the dynamic content on tab B without reloading the page, but tab B still trusts the domains for which the user revoked temporary trust in tab A, so the scripts in tab B can still access those domains.
Am I misunderstanding how temporary permissions work?
Slightly.
Everything that has been already loaded in tab B still works until the tab is reloaded (i.e. page's ability to run already parsed scripts persists until it's reloaded). But no new script source, unless otherwise previously set to (permanently) TRUSTED can be dynamically loaded by that tab.

Re: Does "Revoke Temporary Permissions" affect every tab?

by FranL » Wed Jun 27, 2018 4:08 pm

Consider this sequence of events:
  • User has two tabs (A and B) open.
  • In tab A, the user clicks "Set all on this page to Temporary TRUSTED". This creates temporary trust for a set of domains (on all tabs).
  • Scripts on both tabs can now access those temporarily-trusted domains.
  • In tab A, the user clicks "Revoke Temporary Permissions". Tab A is now safe from scripts on that set of domains, but tab B is not safe (until the page on tab B is reloaded).
  • User switches to tab B and interacts with the dynamic content on tab B without reloading the page, but tab B still trusts the domains for which the user revoked temporary trust in tab A, so the scripts in tab B can still access those domains.
Am I misunderstanding how temporary permissions work?

Re: Does "Revoke Temporary Permissions" affect every tab?

by barbaz » Tue Jun 26, 2018 5:36 pm

FranL wrote:Isn't that a security risk?
Why would it be? The security risk in having a site allowed happens when you allow the site. Not when you revoke the permission.
FranL wrote:Given that this behavior is new to NS 10 (NS Classic reloads all tabs in this use case),
Well, NoScript Classic had this configurable. I have mine set up to reload only the current tab. Don't need background tabs reloading and wasting my bandwidth.
FranL wrote:when Tor browser upgrades to NS 10, will they have a concern about this change to the attack surface?
What attack surface does this change? Again, there is no significant security difference to having a site always allowed vs. allowing it and then forbidding it.
FranL wrote:If there is a good reason that "Revoke Temporary Permissions" should NOT reload all tabs, perhaps a warning could be displayed.
Why?

Re: Does "Revoke Temporary Permissions" affect every tab?

by FranL » Tue Jun 26, 2018 3:30 pm

Isn't that a security risk? The user clicks a button labelled "Revoke Temporary Permissions", but only a subset of temporary permissions are revoked — until the user performs a manual operation.

This appears to violate the Principle of Least Astonishment, because the user thinks he is restoring a level of security that is not fully restored. Given that this behavior is new to NS 10 (NS Classic reloads all tabs in this use case), when Tor browser upgrades to NS 10, will they have a concern about this change to the attack surface?

If there is a good reason that "Revoke Temporary Permissions" should NOT reload all tabs, perhaps a warning could be displayed.

Re: Does "Revoke Temporary Permissions" affect every tab?

by barbaz » Mon Jun 25, 2018 4:07 pm

Yes but it won't take effect until you reload the tab.

Does "Revoke Temporary Permissions" affect every tab?

by FranL » Mon Jun 25, 2018 3:09 pm

When I click "Revoke Temporary Permissions", the current tab reloads but not the other tabs.
Are the permissions actually revoked in every tab (including the ones that didn't reload)?
--
Fran

Top