Video codec versions must be allowed individually with MSE

[Sep]

I mean this, with the meta bug here. It's part of the Tor uplift project which backports Tor Browser privacy improvements into mainstream Firefox.

Containers is a neat feature, which I guess leverages first party isolation code (?) to merely isolate containers from one another. First party isolation should be a lot closer to a per site permission feature. But it could be that from an implementation point of view, Containers may be the right alley for NoScript to build its per site permissions feature, that I don't know. I'm saying that because I know Containers will be accessible to WebExtensions whereas I don't know the link between WE and first party isolation.

[Thrawn]

Thrawn, are you saying I've actually got better protection against clickjacking than ClearClick can deliver?

For a price, yes.

ClearClick works by heuristics, and thus gives you quite good protection seamlessly. You don't need to know it's there until it hits something suspicious; it can even do its job in Global Allow mode. The XSS filter, for all its false positives, is similar. And neither ClearClick nor the XSS filter are useless. They help alert you to suspicious traffic in channels that you previously assumed were safe.

If, however, you're willing to make a lot of extra decisions about which cross-site traffic is allowed, then yes, overall, a default-deny policy gives you better security than heuristics can provide.

Happily, you can use both .

[barbaz]

If, however, you're willing to make a lot of extra decisions about which cross-site traffic is allowed, then yes, overall, a default-deny policy gives you better security than heuristics can provide.

Would I need to default-deny all cross-site requests? Or is blocking cross-site frames and plugins enough?

[Thrawn]

I'm not certain whether clickjacking can be performed without frames or plugins, but I suspect not. So that's probably enough.

[barbaz]

Cool. Thanks to both of you for the explanations!