[tbb-bugs] #30570 [Applications/Tor Browser]: Implement per-site security settings support
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jul 11 17:02:25 UTC 2019
#30570: Implement per-site security settings support
--------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: enhancement | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ux-team | Actual Points:
Parent ID: #25658 | Points:
Reviewer: | Sponsor: Sponsor9
--------------------------------------+--------------------------
Comment (by torlove):
Not to stray too far off topic here (ie. skip this comment if you are
wanting to read about the topic of this thread) but as I understand it,
presently Tor Browser isolates all tabs, so the need for Containers is
redundant. Am I mistaken?
If you really wish to isolate say, one search from the next search,
wouldn't it be better to provide an option on long-pressing the refresh
button to not only refresh but to visit the site at the top level and
clear/reset all cookies?
So for example if I searched at duckduckgo for "foo" and then I want to
search for "bar" after, but I don't want DDG to know that I, as a single
anonymous entity, searched for both "foo" and "bar", is the only option to
click new identity and basically wipe reset the entire browser? I
basically want to perform two operations at once;
a) strip everything from the URL that comes after the slash (to access the
top level or index page of the domain, and
b) click the "New Circuit for this Site" button, which I assumed also
clears cookies but on second thought I'm not 100% certain about that.
c) Clear cookies, (if cookies are not cleared by b) )
d) Wipe away ALL history from that tab such that the Back button won't
work.
e) Close all other tabs that are accessing that page.
This button could be labelled "Fire Reload"?
Presently there is no way to do this without pressing New Identity and
clearing everything. I understand that after 10 minutes a new circuit is
created for all sites, but cookies are not deleted. Which opens a person
up to fingerprinting? Is that correct?
Also, on the topic of fingerprinting, if a person accidentally resizes the
window there should be a button to reset the size back to a size for their
display? I suggest a flashing caution icon, over the onion. The user
clicks the onion icon and there is a menu item "Reset Window Size"? (Note:
I just did a search on this and it's been asked a bunch of times.
See https://trac.torproject.org/projects/tor/ticket/16364
To further mix things up, on startup, there should probably be an
"Immitate a random screen size" button, for user that want to use it. To
view a website on a random smaller screen size that is standard (ie.
popular laptops, tablet size, phones, etc.). Importantly a user should be
encouraged to keep that screen size for the duration of the session, if
they want a different screen size they need to select "New Identity" in
the onion menu.
Regardless we should not stray from the important topic above, and should
create a new topic to discuss isolation/anti-fingerprinting/randomisation
strategies.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30570#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list