Re: Isolate-Me explainer

Hi,

As a website developer, Isolate-Me would be very useful for a couple of the websites I work on.

Overall it sounds like it would be very easy to implement, my only concern is links in to the website.

I appreciate that reflected XSS/CSRF is a major issue, so I think you are correct to block direct navigation.

However I frequently use links to help users (e.g. bookmarks to specific features, or to support an explanation of a new feature).

In the Open Questions section you mention "we could transform navigations into a navigation to the root URL with some sort of message to allow the site to decide whether the navigation should go through".

May I suggest that the message is instead a header to simply say what the original URL was?

This would allow the website developer to do a simple 302 redirect, if they consider it safe to do so.

Craig



> On 16 Sep 2016, at 16:15, Emily Stark (Dunn) <estark@google.com> wrote:
> 
> Hi webappsec! Mike, Joel, and I have been discussing an idea for a developer facing opt-in to allow highly security- or privacy-sensitive sites to be isolated from other origins on the web.
> 
> We wrote up the idea here to explain what we're thinking about, why we think it's important, and the major open questions: https://mikewest.github.io/isolation/explainer.html <https://mikewest.github.io/isolation/explainer.html>
> 
> Please read and comment/criticize/etc. Thoughts welcome, either here in this thread or as GitHub issues. Especially interested to hear from Mozilla folks as it relates to and is heavily inspired by containers.
> 
> Thanks!
> Emily

Received on Tuesday, 20 September 2016 08:48:53 UTC