Does "Revoke Temporary Permissions" affect every tab?

Ask for help about NoScript, no registration needed to post
FranL
Senior Member
Posts: 84
Joined: Sun Dec 03, 2017 4:17 pm

Does "Revoke Temporary Permissions" affect every tab?

Post by FranL »

When I click "Revoke Temporary Permissions", the current tab reloads but not the other tabs.
Are the permissions actually revoked in every tab (including the ones that didn't reload)?
--
Fran
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Does "Revoke Temporary Permissions" affect every tab?

Post by barbaz »

Yes but it won't take effect until you reload the tab.
*Always* check the changelogs BEFORE updating that important software!
-
FranL
Senior Member
Posts: 84
Joined: Sun Dec 03, 2017 4:17 pm

Re: Does "Revoke Temporary Permissions" affect every tab?

Post by FranL »

Isn't that a security risk? The user clicks a button labelled "Revoke Temporary Permissions", but only a subset of temporary permissions are revoked — until the user performs a manual operation.

This appears to violate the Principle of Least Astonishment, because the user thinks he is restoring a level of security that is not fully restored. Given that this behavior is new to NS 10 (NS Classic reloads all tabs in this use case), when Tor browser upgrades to NS 10, will they have a concern about this change to the attack surface?

If there is a good reason that "Revoke Temporary Permissions" should NOT reload all tabs, perhaps a warning could be displayed.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Does "Revoke Temporary Permissions" affect every tab?

Post by barbaz »

FranL wrote:Isn't that a security risk?
Why would it be? The security risk in having a site allowed happens when you allow the site. Not when you revoke the permission.
FranL wrote:Given that this behavior is new to NS 10 (NS Classic reloads all tabs in this use case),
Well, NoScript Classic had this configurable. I have mine set up to reload only the current tab. Don't need background tabs reloading and wasting my bandwidth.
FranL wrote:when Tor browser upgrades to NS 10, will they have a concern about this change to the attack surface?
What attack surface does this change? Again, there is no significant security difference to having a site always allowed vs. allowing it and then forbidding it.
FranL wrote:If there is a good reason that "Revoke Temporary Permissions" should NOT reload all tabs, perhaps a warning could be displayed.
Why?
*Always* check the changelogs BEFORE updating that important software!
-
FranL
Senior Member
Posts: 84
Joined: Sun Dec 03, 2017 4:17 pm

Re: Does "Revoke Temporary Permissions" affect every tab?

Post by FranL »

Consider this sequence of events:
  • User has two tabs (A and B) open.
  • In tab A, the user clicks "Set all on this page to Temporary TRUSTED". This creates temporary trust for a set of domains (on all tabs).
  • Scripts on both tabs can now access those temporarily-trusted domains.
  • In tab A, the user clicks "Revoke Temporary Permissions". Tab A is now safe from scripts on that set of domains, but tab B is not safe (until the page on tab B is reloaded).
  • User switches to tab B and interacts with the dynamic content on tab B without reloading the page, but tab B still trusts the domains for which the user revoked temporary trust in tab A, so the scripts in tab B can still access those domains.
Am I misunderstanding how temporary permissions work?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Does "Revoke Temporary Permissions" affect every tab?

Post by Giorgio Maone »

FranL wrote:Consider this sequence of events:
  • User switches to tab B and interacts with the dynamic content on tab B without reloading the page, but tab B still trusts the domains for which the user revoked temporary trust in tab A, so the scripts in tab B can still access those domains.
Am I misunderstanding how temporary permissions work?
Slightly.
Everything that has been already loaded in tab B still works until the tab is reloaded (i.e. page's ability to run already parsed scripts persists until it's reloaded). But no new script source, unless otherwise previously set to (permanently) TRUSTED can be dynamically loaded by that tab.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
FranL
Senior Member
Posts: 84
Joined: Sun Dec 03, 2017 4:17 pm

Re: Does "Revoke Temporary Permissions" affect every tab?

Post by FranL »

Thanks, Giorgio. That clarifies my understanding.

I don't always remember to reload the other tabs after I revoke temporary permissions. An option to auto-reload all affected tabs would be ideal. Are there any plans to add such an option?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Does "Revoke Temporary Permissions" affect every tab?

Post by Giorgio Maone »

FranL wrote:Are there any plans to add such an option?
It was one of the most hated features in NoScript "Classic" (mostly because of the performance implications and the potential disruption of ongoing work), so as an option it's probably low priority.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Post Reply