[FIXED] Cross-tab identity leak protection warning about a site potentially attacking itself

[barbaz]

Firefox 114.0.2
NoScript 11.4.23rc5
new profile

STR:

1) about:preferences > General > Tabs, check "When you open a link, image or media in a new tab, switch to it immediately"

2) when installing NoScript be sure to enable "Allow this extension to run in Private Windows"

3) NoScript Options > Advanced, Cross-tab identity leak protection "Enabled everywhere" and "Prompt before anonymizing any request"

4) visit any page on https://forums.informaction.com/

5) NoScript Options > Per-site Permissions, set informaction.com and mozilla.org Trusted

6) visit viewtopic.php?t=26871, open the bugzilla link Giorgio posted there in a new tab

7) open in a new tab the link back to that thread ("suggested here") (so now there are two tabs open to that thread)

8) select "Load normally" on the expected cross-tab identity leak protection warning

9) close the last opened tab, then repeat (7)

At this point, NoScript throws the following cross-tab identity leak protection -

Code: Select all

You are about to load a page from informaction.com.

If you are a informaction.com logged-in user, information about your identity might be acquired by informaction.com.

Umm. If forums.informaction.com wanted to determine my identity on forums.informaction.com, surely there must be an easier way than trying to perform the cross-tab identity leak attack on itself, no?

Why is this warning happening?

(This is not a regression in latest dev build - it also happens with rc4)

[Giorgio Maone]

Interesting. Investigating, thanks.

[Giorgio Maone]

Fixed in latest dev build, thanks:

v 11.4.24rc1
============================================================
x [TabGuard] Stop exempting domains bidirectionally by
default
x [TabGuard] Fix destination domain being reported as the
trigger of a warning prompt when all the other tab-tied
domains have been exempted (thanks barbaz for report)