InformAction Forums

barbaz wrote: ↑Wed Aug 10, 2022 9:17 pm If I test this protection with a cross-site link to this forum while I'm logged in here, and select "Load anonymously", I'm completely logged out of the forum. Is total logout an intended part of the defense? (As opposed to e.g. performing the anonymous load in a new, temporary, NoScript-created Firefox container to prevent logout in the "legitimate" tab, if such is technically possible in WebExtensions.)

Giorgio Maone wrote: ↑Thu Aug 11, 2022 4:59 am That depends on the website. If they automatically assign an anonymous session id (like it happens here), it overrides the one you had and you're automatically logged out for good.
Anyway I'll investigate using containers to mitigate this side effect, thanks.

barbaz wrote: ↑Sat Sep 10, 2022 5:31 pm At (5), the cross-tab identity leak protection claims that informaction.com can obtain github.com login data at that load, even though the opener tab is github.com. Does the exploit also work through "chaining" opener tabs like this?

barbaz wrote: ↑Mon Jan 23, 2023 7:11 pm Also, another case I wonder about? -

Firefox 109.0.1
NoScript 11.4.15rc1
new profile

STR:

1) NoScript Options > Advanced, set Cross-tab identity leak protection Enabled everywhere

2) NoScript Options > Per-site Permissions, set github.com and flathub.org to Trusted

3) go to https://flathub.org/

4) middle click any app's listing to open it in new tab

5) in that tab, middle click any link to github.com

6) switch back to the original flathub tab and middle click any other app's listing

barbaz wrote: ↑Thu Jun 15, 2023 4:24 pm 1) So cookies are the only thing that needs to be anonymized to fully stop this attack, and the use of Containers for the anonymous load would be overkill?

barbaz wrote: ↑Thu Jun 15, 2023 4:24 pm 2) Does it matter that subsequent loads in the tab are not anonymized? e.g. navigating clicking a same-origin link on the anonymously-loaded tab is no longer loaded anonymously

1. We actually check that the new navigation or reload is user-induced and not automatic, therefore the timing is effectively randomized making the attack much more impractical
2. If the user is in control of the new navigation the scenario of an unintentional / silent attack is much less likely.

barbaz wrote: ↑Thu Jun 15, 2023 4:24 pm 3) Might it matter that cookies in an anonymously-loaded page are still accessible via document.cookie?

Giorgio Maone wrote: ↑Fri Jun 16, 2023 5:55 am

barbaz wrote: ↑Sat Sep 10, 2022 5:31 pm At (5), the cross-tab identity leak protection claims that informaction.com can obtain github.com login data at that load, even though the opener tab is github.com. Does the exploit also work through "chaining" opener tabs like this?

Yes, it can. As long as there's one tab in control of the attacker which may know/control the URL of what's loaded in another tab (the oracle site where the user is logged in), the attack is possible.

barbaz wrote: ↑Fri Jun 16, 2023 1:04 pm Thanks Giorgio for the info & fixes!

But in 11.4.23rc4 I no longer get the warning following STR in viewtopic.php?p=106035#p106035 , but you're saying it was correct for the warning to happen there?

x [TabGuard] Decouple tab ties cutting from one-shot
  authorized loads cases for same-site navigation

Giorgio Maone wrote: ↑Mon Jun 19, 2023 10:06 pm The latter measure was unnecessary, since the risk we want to prevent here is the same-site navigation in a new tab being just a redirection to an actual cross-site "victim" site (in this case, github.com being the attacker and another site being the potential victim).