11.4.23rc1 changelog contradicts NoScript Options

[barbaz]

NoScript changelog for 11.4.23rc1 includes -

v 11.4.23rc1
============================================================
x [TabGuard] Introduce prompt granularity options (default:
prompt only on POST requests)

So IOW, the Cross-tab identity leak protection can now be configured to only check cross-tab POST requests, and this is the new default. Sounds good, I thought, let's update & take a look - if Giorgio thinks this is sufficient default security for this feature, sure would reduce the number of warnings & false positives, making this feature much nicer to use. Sweet.

But after updating, NoScript Options words this new option like -

• Never prompt before anonymization
• Prompt before anonymizing POST submissions
• Prompt before anonymizing any request

So IOW, the new setting makes Cross-tab identity leak protection silently anonymize requests...and the default is to do this for all non-POST cross-tab requests? Not good, this would introduce serious usability issues

So which is it?
Could whichever wording is wrong please be fixed?

And if the current wording of NoScript Options is the correct one, could the aforementioned issues with this please be addressed before this gets to NoScript stable channel? Otherwise it's just asking for a deluge of difficult support requests, if many people use Cross-tab identity leak protection.

Thanks for any clarification or action.

[Giorgio Maone]

And if the current wording of NoScript Options is the correct one, could the aforementioned issues with this please be addressed before this gets to NoScript stable channel? Otherwise it's just asking for a deluge of difficult support requests, if many people use Cross-tab identity leak protection.

That's the plan, indeed, see "next steps" here.

[barbaz]

Thanks Giorgio, it's clear now that NoScript Options wording is the correct one.

In that case, maybe the changelog would be better worded more like

Code: Select all

+ [TabGuard] Add option to load some requests anonymously without prompting
where an explicit user decision has not been made (default: prompt only on POST requests)

I'm not clear whether the "next steps" will fully address the specific issues raised? Quoting myself from the linked thread -

1) Currently the dialog is the only way to make cross-tab identity leak protection decisions for individual site pairs. Probably NoScript Options would need to get a UI for view/add/edit/delete the individual cross-tab identity leak protection decisions.

This is necessary to make troubleshooting "why did NoScript ignore my prompting preference" type issues accessible to users. And if it allows adding/editing choices, it would also greatly ease making permanent exceptions to a global automatic decision. Is such UI planned?

On the subject of Cross-tab identity leak protection decisions for individual site pairs, would adding "Always prompt" type option(s) now be useful? e.g. "Always prompt for this site pair" or "Always prompt when one of the sites is example.com & the site pair has no explicit decision"

2) viewtopic.php?p=105923#p105923
Having that happen automatically would be bad in several ways, especially if happened without any notice that cross-tab identity leak protection took action. The Containers idea proposed in the linked thread would address these concerns too.

The linked discussion points out that loading anonymously can cause existing cookies to get overwritten, causing unintended total logout, and suggests using Containers to avoid this. Does the plan for a "Reload with cookies/credentials" option include using Containers to isolate anonymous loads away from the rest of the browser session, so that original credentials are preserved & can be used for such reload?

[barbaz]

The issues with automatic anonymous loading have been addressed in current NoScript and in viewtopic.php?t=26760&start=15

maybe the changelog would be better worded more like

Code: Select all

+ [TabGuard] Add option to load some requests anonymously without prompting
where an explicit user decision has not been made (default: prompt only on POST requests)

Will the changelog wording be clarified before stable?

1) Currently the dialog is the only way to make cross-tab identity leak protection decisions for individual site pairs. Probably NoScript Options would need to get a UI for view/add/edit/delete the individual cross-tab identity leak protection decisions.

This is necessary to make troubleshooting "why did NoScript ignore my prompting preference" type issues accessible to users. And if it allows adding/editing choices, it would also greatly ease making permanent exceptions to a global automatic decision. Is such UI planned?

Any news on plans for such UI?

On the subject of Cross-tab identity leak protection decisions for individual site pairs, would adding "Always prompt" type option(s) now be useful? e.g. "Always prompt for this site pair" or "Always prompt when one of the sites is example.com & the site pair has no explicit decision"

These levels of granularity for any type of decision (always anonymize, always prompt, always load normally) would really improve usability. Real world example, it would be helpful to specify to always load normally when one of the sites is duckduckgo.com, regardless of what the other site is.

(IIUC from viewtopic.php?p=105919#p105919 it doesn't matter which site in the pair is the opener tab & which site is being opened, so it would be pointless to make a distinction between "Always load normally when opener tab is example.com" vs "Always load example.com normally", wouldn't it?)

[barbaz]

(IIUC from viewtopic.php?p=105919#p105919 it doesn't matter which site in the pair is the opener tab & which site is being opened, so it would be pointless to make a distinction between "Always load normally when opener tab is example.com" vs "Always load example.com normally", wouldn't it?)

So I didn't understand correctly? -

v 11.4.24rc1
============================================================
x [TabGuard] Stop exempting domains bidirectionally by
default

[Giorgio Maone]

So I didn't understand correctly? -

v 11.4.24rc1
============================================================
x [TabGuard] Stop exempting domains bidirectionally by
default

This change just means that now if you chose to "Load normally" a.com from b.com, you will still get asked what to do when loading b.com from a.com (until you make a decision for this direction as well). The rationale is that only because you've decided to load a.com with authorization data, this doesn't automatically imply you're OK with a.com potentially "attacking" b.com.

[barbaz]

This change just means that now if you chose to "Load normally" a.com from b.com, you will still get asked what to do when loading b.com from a.com (until you make a decision for this direction as well). The rationale is that only because you've decided to load a.com with authorization data, this doesn't automatically imply you're OK with a.com potentially "attacking" b.com.

It's a nice idea, and sounds much better in theory, but I'm confused because viewtopic.php?p=105919#p105919 seems to be saying that direction is immaterial to this attack? -

any tab pair which is in a opener-opened relationship (no matter the direction) is a potential vector, as long as the two tabs are from different domains.

(emphasis mine)

Does this not mean that by having selected "Load normally" a.com from b.com, that a.com is already then able to attack b.com using that same tab pair?

[Giorgio Maone]

Does this not mean that by having selected "Load normally" a.com from b.com, that a.com is already then able to attack b.com using that same tab pair?

That's correct theoretically, but at this stage a.com has no way (yet) to choose which content is opened in b.com, something which is integral to the attack (the exact page opened in the victim site must be determined by the attacker).

[barbaz]

Ah, the directionality introduced in 11.4.21rc1 is not the opener/opened direction, it's the direction of the act of one tab determining another tab's URL. Thanks for clarifying!

[Giorgio Maone]

The new default setting only checks cross-tab POST requests. This is a more targeted approach that should provide adequate protection without generating too many warnings.

Just to clarify, all cross-tab cross-site requests (including GET) are checked and possibly "anonymized" if needed. The difference is that POST requests cause a prompt to be shown, asking users whether they actually want to anonymize that specific request, because POST requests can cause side effects and therefore cannot be reliably replicated with authorization, should you understand you need to.
GET requests are automatically anonymized if they happen in any potentially "dangerous" scenario, but in order to recover their authorization if something unexpected / unwanted happens you just need to reload or navigate to another link.

The net result, as you said, is better usability because the warning / permission fatigue goes down near to zero.

I'm glad that you're taking the time to update your settings and take advantage of this new feature. It's a small change, but it could make a big difference in your security.

Thanks,

Thank you, I appreciate you appreciate

[barbaz]

[Giorgio Maone]

Thank you