Hi, As a website developer, Isolate-Me would be very useful for a couple of the websites I work on. Overall it sounds like it would be very easy to implement, my only concern is links in to the website. I appreciate that reflected XSS/CSRF is a major issue, so I think you are correct to block direct navigation. However I frequently use links to help users (e.g. bookmarks to specific features, or to support an explanation of a new feature). In the Open Questions section you mention "we could transform navigations into a navigation to the root URL with some sort of message to allow the site to decide whether the navigation should go through". May I suggest that the message is instead a header to simply say what the original URL was? This would allow the website developer to do a simple 302 redirect, if they consider it safe to do so. Craig > On 16 Sep 2016, at 16:15, Emily Stark (Dunn) <estark@google.com> wrote: > > Hi webappsec! Mike, Joel, and I have been discussing an idea for a developer facing opt-in to allow highly security- or privacy-sensitive sites to be isolated from other origins on the web. > > We wrote up the idea here to explain what we're thinking about, why we think it's important, and the major open questions: https://mikewest.github.io/isolation/explainer.html <https://mikewest.github.io/isolation/explainer.html> > > Please read and comment/criticize/etc. Thoughts welcome, either here in this thread or as GitHub issues. Especially interested to hear from Mozilla folks as it relates to and is heavily inspired by containers. > > Thanks! > Emily
Received on Tuesday, 20 September 2016 08:48:53 UTC