Opened 3 months ago

Last modified 6 weeks ago

#30570 new enhancement

Implement per-site security settings support

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ux-team
Cc: tbb-team, dmr, isnaiter, arthuredelstein, mcs, brade Actual Points:
Parent ID: #25658 Points:
Reviewer: Sponsor: Sponsor9

Description

The native (without messing with the NoScript menu) per-site security settings support mentioned in proposal 101 () is still missing. This ticket is for implementing it.

Child Tickets

Change History (4)

comment:1 Changed 3 months ago by pili

Sponsor: Sponsor9

comment:2 Changed 7 weeks ago by torlove

Thanks for opening this ticket, gk. Good to see that there is a sponsor for this.

The document referred to above:
https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals/101-security-controls-redesign.txt

As I have said in another ticket:

"It is a good document, whatever we can do to make things easier for beginners is good.

There are two items discussed in the resource above that have not been done.

1) Educating the user about the changes.

Although it was not part of the scope of the document the author clearly states that this is an area that requires attention. It is important to tell users of impending changes, and to inform a user when a change is implemented. The home screen is the best place to do that.

2) Moving per-site js permissions (NoScript) too the URL bar:

In my opinion, NoScript should be moved to the URL bar to the right of the "Toggle Reader View" button. The icon should be one that suggests code or scripting, either:

a) a tiny backslash inside angled brackets, or
b) the standby/power symbol (​https://www.symbols.com/symbol/standby-symbol), or
c) a gear icon with JS written lightly inside.

Alongside the icon should be a small tag with the number of js domains blocked having a strike-though. The number of approved js domains used by the page would not have a strike-though.

NoScript needs to continue being one click away because when a page/document loads and the JS is blocked there is no way to re-trigger the page load event. So there are times when the user must access NoScript after multiple page load events. Typically two page loads are needed, but I have seen websites where five page loads are needed. The user needs to repeat this process for a domain every time they restart Tor browser.

In the interests of educating the user, after restarting the browser we might inform the user that editing the permissions may make fingerprinting easier. Especially if you repeatedly use the same settings.

Furthermore, in terms of simplifying the toolbar, the 'three dot icon' is redundant. The three options a user gets is:

  • Bookmark this page (the user already has a bookmark button)
  • Copy link.
  • Email link.

None of these options add value, I'd much rather dedicate the space to the NoScript icon and subsequent tag.

comment:3 Changed 7 weeks ago by cypherpunks

Can we get something like Firefox Containers type UX?

comment:4 Changed 6 weeks ago by torlove

Not to stray too far off topic here (ie. skip this comment if you are wanting to read about the topic of this thread) but as I understand it, presently Tor Browser isolates all tabs, so the need for Containers is redundant. Am I mistaken?

If you really wish to isolate say, one search from the next search, wouldn't it be better to provide an option on long-pressing the refresh button to not only refresh but to visit the site at the top level and clear/reset all cookies?

So for example if I searched at duckduckgo for "foo" and then I want to search for "bar" after, but I don't want DDG to know that I, as a single anonymous entity, searched for both "foo" and "bar", is the only option to click new identity and basically wipe reset the entire browser? I basically want to perform two operations at once;
a) strip everything from the URL that comes after the slash (to access the top level or index page of the domain, and
b) click the "New Circuit for this Site" button, which I assumed also clears cookies but on second thought I'm not 100% certain about that.
c) Clear cookies, (if cookies are not cleared by b) )
d) Wipe away ALL history from that tab such that the Back button won't work.
e) Close all other tabs that are accessing that page.

This button could be labelled "Fire Reload"?

Presently there is no way to do this without pressing New Identity and clearing everything. I understand that after 10 minutes a new circuit is created for all sites, but cookies are not deleted. Which opens a person up to fingerprinting? Is that correct?

Also, on the topic of fingerprinting, if a person accidentally resizes the window there should be a button to reset the size back to a size for their display? I suggest a flashing caution icon, over the onion. The user clicks the onion icon and there is a menu item "Reset Window Size"? (Note: I just did a search on this and it's been asked a bunch of times.
See https://trac.torproject.org/projects/tor/ticket/16364

To further mix things up, on startup, there should probably be an "Immitate a random screen size" button, for user that want to use it. To view a website on a random smaller screen size that is standard (ie. popular laptops, tablet size, phones, etc.). Importantly a user should be encouraged to keep that screen size for the duration of the session, if they want a different screen size they need to select "New Identity" in the onion menu.

Regardless we should not stray from the important topic above, and should create a new topic to discuss isolation/anti-fingerprinting/randomisation strategies.

Note: See TracTickets for help on using tickets.