The Self-Destructing Cookies extension can delete cookies when the tab using them is closed.
I'd like to see a similar feature in NoScript: Automatically expire those temporary permissions that aren't used by any open tabs, maybe after a configurable grace period ...
Feature request: "Self-destructing" temporary permissions
Feature request: "Self-destructing" temporary permissions
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
Re: Feature request: "Self-destructing" temporary permission
In some ways, that's a nice idea. I'm sure a lot of people would like to use it.
However, from a security standpoint, it is not really all that helpful. Either a site is going to attack you immediately, and revoking later won't help, or it's safe, and revoking isn't needed.
From a privacy perspective, it makes sense to destroy things immediately after you're finished using them. But from a security perspective, it doesn't. All it will achieve is a false sense of security.
And Self-Destructing Cookies works by polling the cookie jar constantly, checking whether there are open tabs associated with cookies. NoScript would have to do this for your whole whitelist, imposing a performance hit (especially for big whitelists), without really giving you any more security.
So I like this idea, but if it came to a vote, I would vote against it.
However, from a security standpoint, it is not really all that helpful. Either a site is going to attack you immediately, and revoking later won't help, or it's safe, and revoking isn't needed.
From a privacy perspective, it makes sense to destroy things immediately after you're finished using them. But from a security perspective, it doesn't. All it will achieve is a false sense of security.
And Self-Destructing Cookies works by polling the cookie jar constantly, checking whether there are open tabs associated with cookies. NoScript would have to do this for your whole whitelist, imposing a performance hit (especially for big whitelists), without really giving you any more security.
So I like this idea, but if it came to a vote, I would vote against it.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Re: Feature request: "Self-destructing" temporary permission
Yes, I was thinking mainly from the privacy and less from the security perspective - and cannot remember my temporary whitelist having more than a dozen entries ...Thrawn wrote:In some ways, that's a nice idea. I'm sure a lot of people would like to use it.
However, from a security standpoint, it is not really all that helpful. Either a site is going to attack you immediately, and revoking later won't help, or it's safe, and revoking isn't needed.
From a privacy perspective, it makes sense to destroy things immediately after you're finished using them. But from a security perspective, it doesn't. All it will achieve is a false sense of security.
And Self-Destructing Cookies works by polling the cookie jar constantly, checking whether there are open tabs associated with cookies. NoScript would have to do this for your whole whitelist, imposing a performance hit (especially for big whitelists), without really giving you any more security.
So I like this idea, but if it came to a vote, I would vote against it.
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
Re: Feature request: "Self-destructing" temporary permission
You know, I've reconsidered; I actually think that this would be helpful when investigating which scripts are needed vs junk. But there might still be problems regarding a false sense of security. And it would likely be a good-sized chunk of work for Giorgio, who is already very busy.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0
Re: Feature request: "Self-destructing" temporary permission
How so?Thrawn wrote:I actually think that this would be helpful when investigating which scripts are needed vs junk.
What problems? I don't see how this feature would give me a false sense of security. You allow a site once, that's generally all the chance it needs to do malicious things to you if it's going to, and revoking the permission later won't make any difference.Thrawn wrote:But there might still be problems regarding a false sense of security.
More like, if the configurable grace period is implemented, this feature would be a convenience for long browser sessions when I may forget what all I've Temp-Allowed and I didn't think to check the Revoke Temporary Permissions tooltip. If temporary permissions for objects are revoked as part of this, it could also help mitigate the need for this RFE. So to me, it would have a good use that is neither security nor privacy related.
+1 from me if it has that configurable grace period (otherwise I wouldn't use this feature at all), but this feature is not super important IMO.
*Always* check the changelogs BEFORE updating that important software!
Opera/9.80 (X11; Linux x86_64) Presto/2.12.388 Version/12.16
Re: Feature request: "Self-destructing" temporary permission
No need to revoke temporary permissions - possibly wiping out temporary permissions on other sites - once you're done.barbaz wrote:How so?Thrawn wrote:I actually think that this would be helpful when investigating which scripts are needed vs junk.
Besides the convenience, there is also the fact that the sooner you wipe temporary permissions, the sooner you shrink your attack surface for trusted sites to be compromised. NS is pretty effective at stopping such attacks anyway, but the fact remains.
Yes, you understand that, and so it's not a problem for you - but what about Joe User?What problems? I don't see how this feature would give me a false sense of security. You allow a site once, that's generally all the chance it needs to do malicious things to you if it's going to, and revoking the permission later won't make any difference.Thrawn wrote:But there might still be problems regarding a false sense of security.
It might also have some application for people who want to allow things per-tab; it won't quite do that, but it would come close if you visit sites sequentially.More like, if the configurable grace period is implemented, this feature would be a convenience for long browser sessions when I may forget what all I've Temp-Allowed and I didn't think to check the Revoke Temporary Permissions tooltip.
No, it certainly isn't.+1 from me if it has that configurable grace period (otherwise I wouldn't use this feature at all), but this feature is not super important IMO.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:34.0) Gecko/20100101 Firefox/34.0
Re: Feature request: "Self-destructing" temporary permission
Interesting, I didn't think of it that way. That would be nice.Thrawn wrote:Besides the convenience, there is also the fact that the sooner you wipe temporary permissions, the sooner you shrink your attack surface for trusted sites to be compromised. NS is pretty effective at stopping such attacks anyway, but the fact remains.
Still not hugely important though.
Well, I can't speak for Joe User generally, but one of the least techie people I know seems inclined to think that on the Internet, allowing something even once is REALLY scary because it just might attack right then and there...Thrawn wrote:Yes, you understand that, and so it's not a problem for you - but what about Joe User?What problems? I don't see how this feature would give me a false sense of security. You allow a site once, that's generally all the chance it needs to do malicious things to you if it's going to, and revoking the permission later won't make any difference.Thrawn wrote:But there might still be problems regarding a false sense of security.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36
Re: Feature request: "Self-destructing" temporary permission
There are initialization for toolbarbutton (CB), abolishing the temporary permissions when changing or closing active tab.
The switch is only separately: CB_Disable_Initialization or Disable/Enable Button.
The switch is only separately: CB_Disable_Initialization or Disable/Enable Button.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 SeaMonkey/2.21
Re: Feature request: "Self-destructing" temporary permission
User Riar has suggested that marking any sites that had auto-revoked temporary permissions would help eliminate some of the potential for false sense of security, in that users could know what was automatically revoked and they wouldn't be fooled by Unicode-lookalike domains, by being accustomed to Temporarily Allowing the same site(s) a lot. I think that is a good idea and should apply to this RFE if it is implemented.
That discussion (which is about auto-revoking temporary permissions after user-configured time period) is at viewtopic.php?f=8&t=21615
That discussion (which is about auto-revoking temporary permissions after user-configured time period) is at viewtopic.php?f=8&t=21615
*Always* check the changelogs BEFORE updating that important software!
-