One habit I need to get out of is logging out of accounts when they have their own browser container. For decades I'd make sure I'd log out of accounts to help prevent XSS attacks, but w/ containers that is/shouldn't be a problem as that container is only used for that specific site.
Conversation
Notices
-
Embed this notice
John-Mark Gurney (encthenet@flyovercountry.social)'s status on Wednesday, 15-May-2024 07:57:19 JST John-Mark Gurney -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 15-May-2024 07:57:13 JST Haelwenn /элвэн/ :triskell: @feld @encthenet Heh well badwolf has containers built-in, effectively because there's a lot of ways of getting cookie-like storage from browsers, so even things like first-party only http-cookie don't seems enough to me.
(Like you entirely can use ETags as cookies, so I keep caching isolated)That said the containers in mine aren't per-site, it's more there to avoid tracking/fingerprinting than security, and while a modification to make it per-site would be doable, it would be horrible in terms of performance.
I think a dedicated browser like Tangram makes more sense for when you want webapps to be isolated. That said I somehow still haven't evaluated it. -
Embed this notice
feld (feld@bikeshed.party)'s status on Wednesday, 15-May-2024 07:57:14 JST feld @encthenet The only person I know with enough knowledge of how the browser engines work (specifically WebKit) is @lanodan who makes Badwolf and might be able to tell us more about what is and is not currently possible in this arena -
Embed this notice
John-Mark Gurney (encthenet@flyovercountry.social)'s status on Wednesday, 15-May-2024 07:57:15 JST John-Mark Gurney @feld and GC of "old" containers doesn't even need to be that complicated either, only keep the last 10, or say anything used in the last 2-4 weeks or some blend as well.
and it does look like the plugin is pure JS, so seems like it'd be totally doable.
-
Embed this notice
feld (feld@bikeshed.party)'s status on Wednesday, 15-May-2024 07:57:16 JST feld @encthenet and if you have multiple containerized logins for a site it could ask which one to allow...
There's gotta be something I don't understand about the underlying mechanics here -
Embed this notice
John-Mark Gurney (encthenet@flyovercountry.social)'s status on Wednesday, 15-May-2024 07:57:17 JST John-Mark Gurney @feld Yeah. It should be easy enough to say, if you access this domain, auto open in container w/o the need to do the BS to "create" a container for that site. e.g. auto containerize this site. Though it is complicated by some stupid crazy SAML/SSO redirects that some sites do.
This would also apply to iframes, where if it attempted to access a site in an iframe, it'd deny the site, and open a new window for that site.
-
Embed this notice
feld (feld@bikeshed.party)'s status on Wednesday, 15-May-2024 07:57:18 JST feld @encthenet I struggle to understand why we can't automatically containerize this and have some popup modal to ask if your login for X can by accessed by site Y.
Like, expose a fake cookie that the browser tries to access and give you a chance to approve/deny for a short time period or permanently if it's an SSO situation -
Embed this notice
feld (feld@bikeshed.party)'s status on Wednesday, 15-May-2024 08:56:33 JST feld @lanodan @encthenet thanks for sharing, it's very much appreciated 😀 Haelwenn /элвэн/ :triskell: likes this.
-
Embed this notice