[Invalid] 11.4.10rc3 Cross-tab identity leak protection trips way too late

Bug reports and enhancement requests
Post Reply
barbaz
Senior Member
Posts: 10401
Joined: Sat Aug 03, 2013 5:45 pm

[Invalid] 11.4.10rc3 Cross-tab identity leak protection trips way too late

Post by barbaz » Tue Sep 06, 2022 3:13 pm

NoScript 11.4.10rc3
Firefox 104.0.2
new profile

STR:

1) NoScript Options > Advanced, enable Cross-tab identity leak protection everywhere

2) in Per-site Permissions, set to TRUSTED:
- flathub.org
- github.com
- githubassets.com

3) visit https://flathub.org/home

4) click e.g. the listing for Google Chrome

5) middle-click the "See details" link under "Publisher" to open it in new tab

Expected results: Cross-tab identity leak protection should trip at (5) EDIT Correction: since there are no Github cookies at (5), the cross-tab identity leak protection should not trip at all.

Actual results: Clicking several same-origin links on the Github tab will eventually make the cross-tab identity leak protection trip on one of these same-origin link loads. It seems random when this happens.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 9349
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.4.10rc3 Cross-tab identity leak protection trips way too late

Post by Giorgio Maone » Tue Sep 06, 2022 10:08 pm

The issue here seems to be the relationship with the opening frame (from Flathub) not being cut by (several) user-initiated same-site navigations on Github.
Might it be, though, that those "navigations" are actually AJAX requests (therefore the "user inititiated" information bit gets lost)?
The protection then is triggered as soon as one of these navigation is "blessed" with some cookie.
Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

barbaz
Senior Member
Posts: 10401
Joined: Sat Aug 03, 2013 5:45 pm

Re: 11.4.10rc3 Cross-tab identity leak protection trips way too late

Post by barbaz » Wed Sep 07, 2022 4:16 pm

Giorgio Maone wrote:
Tue Sep 06, 2022 10:08 pm
Might it be, though, that those "navigations" are actually AJAX requests
Flathub does. Github maybe, I'm not sure.

So to make sure I have it right: with AJAX-based navigations, the opener is not reset on navigation, thus it is actually correct for cross-tab identity leak protection to trigger here even though it looks late and random on the user end?
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 9349
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.4.10rc3 Cross-tab identity leak protection trips way too late

Post by Giorgio Maone » Wed Sep 07, 2022 5:03 pm

barbaz wrote:
Wed Sep 07, 2022 4:16 pm
So to make sure I have it right: with AJAX-based navigations, the opener is not reset on navigation, thus it is actually correct for cross-tab identity leak protection to trigger here even though it looks late and random on the user end?
Correct.
Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

barbaz
Senior Member
Posts: 10401
Joined: Sat Aug 03, 2013 5:45 pm

Re: 11.4.10rc3 Cross-tab identity leak protection trips way too late

Post by barbaz » Wed Sep 07, 2022 5:10 pm

Thanks.
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply