InformAction Forums

NoScript 11.4.10rc3
Firefox 104.0.2
new profile

STR:

1) NoScript Options > Advanced, enable Cross-tab identity leak protection everywhere

2) in Per-site Permissions, set to TRUSTED:
- flathub.org
- github.com
- githubassets.com

3) visit https://flathub.org/home

4) click e.g. the listing for Google Chrome

5) middle-click the "See details" link under "Publisher" to open it in new tab

Expected results: Cross-tab identity leak protection should trip at (5) EDIT Correction: since there are no Github cookies at (5), the cross-tab identity leak protection should not trip at all.

Actual results: Clicking several same-origin links on the Github tab will eventually make the cross-tab identity leak protection trip on one of these same-origin link loads. It seems random when this happens.

The issue here seems to be the relationship with the opening frame (from Flathub) not being cut by (several) user-initiated same-site navigations on Github.
Might it be, though, that those "navigations" are actually AJAX requests (therefore the "user inititiated" information bit gets lost)?
The protection then is triggered as soon as one of these navigation is "blessed" with some cookie.

Giorgio Maone wrote: ↑Tue Sep 06, 2022 10:08 pm Might it be, though, that those "navigations" are actually AJAX requests

Flathub does. Github maybe, I'm not sure.

So to make sure I have it right: with AJAX-based navigations, the opener is not reset on navigation, thus it is actually correct for cross-tab identity leak protection to trigger here even though it looks late and random on the user end?

barbaz wrote: ↑Wed Sep 07, 2022 4:16 pm So to make sure I have it right: with AJAX-based navigations, the opener is not reset on navigation, thus it is actually correct for cross-tab identity leak protection to trigger here even though it looks late and random on the user end?

Correct.

Thanks.