Feature request: Lock tab to current domain

[lobotomie]

Hi,

would it be possible for noscript devs to add an option to
lock a tab (or just the active tab) to the current domain
shown in the tab address bar?

When locked, it is only possible to navigate to pages inside the same domain.
Clicking a (hidden) link in the tab (or any other event) would have no effect
and also won't open new tabs/windows as long as the target is outside the
current domain. Allowed scripts should also not be able to navigate to
pages outside the current domain. Nothing should be able to break out.

Not sure if that is possible and how much work this would be?

[barbaz]

Interesting idea. What use case(s) do you have in mind?

[lobotomie]

The use case is to make hidden links and redirect actions/scripts non-effective
while navigating on a website in this new "second-level-domain-locked mode"

Use case example without the feature:
1. User goes to website example.com
2. User has noscript (maybe temporarily) configured to allow scripts for (only) example.com
3. Unfortunately, example.com has the business model to open other websites via hidden links or scripts
4. User does not trust extensions except noscript, so at the moment he avoids that example.com can open new tabs/windows by setting dom.popup_allowed_events to empty in about:config
=> While this already improves the situation, it does not prevent that the current tab loads a page from another second-level-domain

Use case example with the new feature:
1. User goes to website example.com
2. User has noscript (maybe temporarily) configured to allow scripts for (only) example.com
3. User has noscript (maybe temporarily) configured to lock browsing into example.com
=> Perfect! He can navigate on example.com and its sub-pages without leaving the page nor opening new tabs/windows

[barbaz]

NoScript is a security tool. Looking at that use case from a security perspective, one way to achieve it would be to reintroduce ABE to NoScript. Then you could write ABE rule(s) to perform the type of locking you want. If you don't always want the locking for a site, your locking rules could be written in their own separate ruleset that you only enable when you want the locking.

ABE is definitely coming back in NoScript Webext, some work has been done toward it but I don't know the current status or if there is any planned timeline. There is a thread about it - viewtopic.php?t=24339

If you need this locking to only apply to some tabs, e.g. browsing example.com locked in one tab while simultaneously not locked in another: perhaps after reintroducing ABE, ABE could gain support for having a ruleset apply only in specific Firefox Container(s). Then you could open your locked example.com tab in, say, the default container, while you have an unlocked one open in a different Container. And this would not be the only security benefit from such granularity. But for until/unless all this comes to fruition, note that there are ways to run multiple instances of Firefox simultaneously - either by having multiple Firefox profiles, or (what I do) by being careful and creative with running Firefox in disposable sandbox.

From both security and ease-of-implementation perspective, I think the locking should not be any narrower in scope than this.

[lobotomie]

Thanks for the link, I was not aware that there is still only one dev on this project.

That actually scares me a bit, that it might die at some point.

I used ABE in the past before it was removed due to the architecture changes in FireFox
but I don't know what Containers are. Are you referring to this extension?
https://addons.mozilla.org/de/firefox/a ... ontainers/

[barbaz]

I don't know what Containers are. Are you referring to this extension?

No, I'm referring to the built-in Firefox feature Firefox Containers, which you can enable by going about:config > set privacy.userContext.ui.enabled to true. You can then go to about:preferences > General > Tabs, check "Enable Container Tabs" to enable Containers, and manage your containers with the "Settings..." button (or go to about:preferences#containers). To open a new tab in a different container, click and hold the new tab button. EDIT You can also right-click a link > "Open Link in New Container Tab" > select the desired container.

The Multi-Account Containers extension is just a layer on top of the Firefox Containers feature. I don't use Multi-Account Containers extension, but IIUC it's just to make Containers nicer to use. Using an extension is not required for using Containers.

[lobotomie]

Ah, okay. Good to know!

Btw I just saw there is a github page: https://github.com/hackademix/noscript/issues

Just wondering if I better should have posted the feature request there?

[barbaz]

Btw I just saw there is a github page: https://github.com/hackademix/noscript/issues

Just wondering if I better should have posted the feature request there?

I don't see any advantage to doing that at this point. Quoting myself from another post -

We have nothing against posting a NoScript issue both here & on Github AFAIK, but to anyone who does that, please link the Github issue in the forum thread & vice versa, and keep both places informed.

This forum and NoScript's Github are two different, separate communities, so if you ask both without saying so, we don't know, resulting in one of the two communities duplicating effort and wasting their time.

Giorgio participates in both communities, and your post got discussion here, so not sure what would be gained by taking this to Github?

[lobotomie]

It makes it easier to track the status: https://github.com/hackademix/noscript/issues/317

[barbaz]

Thanks for linking the Github issue here. For the benefit of the NoScript's Github community, and for Giorgio's benefit if he happens to see the Github issue first, could you please also include the link to this forum thread in the Github issue?