11.4.23rc1 changelog contradicts NoScript Options

General discussion about the NoScript extension for Firefox
Post Reply
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

11.4.23rc1 changelog contradicts NoScript Options

Post by barbaz »

NoScript changelog for 11.4.23rc1 includes -
https://noscript.net/getit/#recent-development-history wrote:v 11.4.23rc1
============================================================
x [TabGuard] Introduce prompt granularity options (default:
prompt only on POST requests)
So IOW, the Cross-tab identity leak protection can now be configured to only check cross-tab POST requests, and this is the new default. Sounds good, I thought, let's update & take a look - if Giorgio thinks this is sufficient default security for this feature, sure would reduce the number of warnings & false positives, making this feature much nicer to use. Sweet. Image

But after updating, NoScript Options words this new option like -
  • Never prompt before anonymization
  • Prompt before anonymizing POST submissions
  • Prompt before anonymizing any request
So IOW, the new setting makes Cross-tab identity leak protection silently anonymize requests...and the default is to do this for all non-POST cross-tab requests? Not good, this would introduce serious usability issues :( Image

So which is it?
Could whichever wording is wrong please be fixed?

And if the current wording of NoScript Options is the correct one, could the aforementioned issues with this please be addressed before this gets to NoScript stable channel? Otherwise it's just asking for a deluge of difficult support requests, if many people use Cross-tab identity leak protection.

Thanks for any clarification or action.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.4.23rc1 changelog contradicts NoScript Options

Post by Giorgio Maone »

barbaz wrote: Tue May 23, 2023 1:44 am And if the current wording of NoScript Options is the correct one, could the aforementioned issues with this please be addressed before this gets to NoScript stable channel? Otherwise it's just asking for a deluge of difficult support requests, if many people use Cross-tab identity leak protection.
That's the plan, indeed, see "next steps" here.
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: 11.4.23rc1 changelog contradicts NoScript Options

Post by barbaz »

Thanks Giorgio, it's clear now that NoScript Options wording is the correct one.

In that case, maybe the changelog would be better worded more like

Code: Select all

+ [TabGuard] Add option to load some requests anonymously without prompting
where an explicit user decision has not been made (default: prompt only on POST requests)
I'm not clear whether the "next steps" will fully address the specific issues raised? Quoting myself from the linked thread -
barbaz wrote: Sat Jan 21, 2023 5:06 pm 1) Currently the dialog is the only way to make cross-tab identity leak protection decisions for individual site pairs. Probably NoScript Options would need to get a UI for view/add/edit/delete the individual cross-tab identity leak protection decisions.
This is necessary to make troubleshooting "why did NoScript ignore my prompting preference" type issues accessible to users. And if it allows adding/editing choices, it would also greatly ease making permanent exceptions to a global automatic decision. Is such UI planned?

On the subject of Cross-tab identity leak protection decisions for individual site pairs, would adding "Always prompt" type option(s) now be useful? e.g. "Always prompt for this site pair" or "Always prompt when one of the sites is example.com & the site pair has no explicit decision"
barbaz wrote: Sat Jan 21, 2023 5:06 pm 2) viewtopic.php?p=105923#p105923
Having that happen automatically would be bad in several ways, especially if happened without any notice that cross-tab identity leak protection took action. The Containers idea proposed in the linked thread would address these concerns too.
The linked discussion points out that loading anonymously can cause existing cookies to get overwritten, causing unintended total logout, and suggests using Containers to avoid this. Does the plan for a "Reload with cookies/credentials" option include using Containers to isolate anonymous loads away from the rest of the browser session, so that original credentials are preserved & can be used for such reload?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: 11.4.23rc1 changelog contradicts NoScript Options

Post by barbaz »

The issues with automatic anonymous loading have been addressed in current NoScript and in viewtopic.php?t=26760&start=15 Image
barbaz wrote: Tue May 23, 2023 10:37 am maybe the changelog would be better worded more like

Code: Select all

+ [TabGuard] Add option to load some requests anonymously without prompting
where an explicit user decision has not been made (default: prompt only on POST requests)
Will the changelog wording be clarified before stable?
barbaz wrote: Tue May 23, 2023 10:37 am
barbaz wrote: Sat Jan 21, 2023 5:06 pm 1) Currently the dialog is the only way to make cross-tab identity leak protection decisions for individual site pairs. Probably NoScript Options would need to get a UI for view/add/edit/delete the individual cross-tab identity leak protection decisions.
This is necessary to make troubleshooting "why did NoScript ignore my prompting preference" type issues accessible to users. And if it allows adding/editing choices, it would also greatly ease making permanent exceptions to a global automatic decision. Is such UI planned?
Any news on plans for such UI?
barbaz wrote: Tue May 23, 2023 10:37 am On the subject of Cross-tab identity leak protection decisions for individual site pairs, would adding "Always prompt" type option(s) now be useful? e.g. "Always prompt for this site pair" or "Always prompt when one of the sites is example.com & the site pair has no explicit decision"
These levels of granularity for any type of decision (always anonymize, always prompt, always load normally) would really improve usability. Real world example, it would be helpful to specify to always load normally when one of the sites is duckduckgo.com, regardless of what the other site is.

(IIUC from viewtopic.php?p=105919#p105919 it doesn't matter which site in the pair is the opener tab & which site is being opened, so it would be pointless to make a distinction between "Always load normally when opener tab is example.com" vs "Always load example.com normally", wouldn't it?)
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: 11.4.23rc1 changelog contradicts NoScript Options

Post by barbaz »

barbaz wrote: Tue Jun 20, 2023 12:43 pm (IIUC from viewtopic.php?p=105919#p105919 it doesn't matter which site in the pair is the opener tab & which site is being opened, so it would be pointless to make a distinction between "Always load normally when opener tab is example.com" vs "Always load example.com normally", wouldn't it?)
So I didn't understand correctly? -
Giorgio Maone wrote: Wed Jun 28, 2023 2:40 pm v 11.4.24rc1
============================================================
x [TabGuard] Stop exempting domains bidirectionally by
default
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.4.23rc1 changelog contradicts NoScript Options

Post by Giorgio Maone »

barbaz wrote: Wed Jun 28, 2023 3:25 pm So I didn't understand correctly? -
Giorgio Maone wrote: Wed Jun 28, 2023 2:40 pm v 11.4.24rc1
============================================================
x [TabGuard] Stop exempting domains bidirectionally by
default
This change just means that now if you chose to "Load normally" a.com from b.com, you will still get asked what to do when loading b.com from a.com (until you make a decision for this direction as well). The rationale is that only because you've decided to load a.com with authorization data, this doesn't automatically imply you're OK with a.com potentially "attacking" b.com.
Last edited by barbaz on Wed Jun 28, 2023 3:54 pm, edited 1 time in total.
Reason: add missing close quote tag
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: 11.4.23rc1 changelog contradicts NoScript Options

Post by barbaz »

Giorgio Maone wrote: Wed Jun 28, 2023 3:40 pm This change just means that now if you chose to "Load normally" a.com from b.com, you will still get asked what to do when loading b.com from a.com (until you make a decision for this direction as well). The rationale is that only because you've decided to load a.com with authorization data, this doesn't automatically imply you're OK with a.com potentially "attacking" b.com.
It's a nice idea, and sounds much better in theory, but I'm confused because viewtopic.php?p=105919#p105919 seems to be saying that direction is immaterial to this attack? -
Giorgio Maone wrote: Wed Aug 10, 2022 5:17 pm any tab pair which is in a opener-opened relationship (no matter the direction) is a potential vector, as long as the two tabs are from different domains.
(emphasis mine)

Does this not mean that by having selected "Load normally" a.com from b.com, that a.com is already then able to attack b.com using that same tab pair?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.4.23rc1 changelog contradicts NoScript Options

Post by Giorgio Maone »

barbaz wrote: Wed Jun 28, 2023 3:50 pm Does this not mean that by having selected "Load normally" a.com from b.com, that a.com is already then able to attack b.com using that same tab pair?
That's correct theoretically, but at this stage a.com has no way (yet) to choose which content is opened in b.com, something which is integral to the attack (the exact page opened in the victim site must be determined by the attacker).
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: 11.4.23rc1 changelog contradicts NoScript Options

Post by barbaz »

Ah, the directionality introduced in 11.4.21rc1 is not the opener/opened direction, it's the direction of the act of one tab determining another tab's URL. Thanks for clarifying! Image
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.4.23rc1 changelog contradicts NoScript Options

Post by Giorgio Maone »

waqarmir11 wrote: Thu Jul 20, 2023 10:40 am The new default setting only checks cross-tab POST requests. This is a more targeted approach that should provide adequate protection without generating too many warnings.
Just to clarify, all cross-tab cross-site requests (including GET) are checked and possibly "anonymized" if needed. The difference is that POST requests cause a prompt to be shown, asking users whether they actually want to anonymize that specific request, because POST requests can cause side effects and therefore cannot be reliably replicated with authorization, should you understand you need to.
GET requests are automatically anonymized if they happen in any potentially "dangerous" scenario, but in order to recover their authorization if something unexpected / unwanted happens you just need to reload or navigate to another link.

The net result, as you said, is better usability because the warning / permission fatigue goes down near to zero.
waqarmir11 wrote: Thu Jul 20, 2023 10:40 am I'm glad that you're taking the time to update your settings and take advantage of this new feature. It's a small change, but it could make a big difference in your security.

Thanks,
Thank you, I appreciate you appreciate :)
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: 11.4.23rc1 changelog contradicts NoScript Options

Post by barbaz »

Image
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.4.23rc1 changelog contradicts NoScript Options

Post by Giorgio Maone »

barbaz wrote: Thu Jul 20, 2023 5:48 pm Image
:o Thank you :oops:
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0
Post Reply