Also, re: NoScript 11.4.23rc2 -
barbaz wrote: ↑Wed Aug 10, 2022 9:17 pm If I test this protection with a cross-site link to this forum while I'm logged in here, and select "Load anonymously", I'm completely logged out of the forum. Is total logout an intended part of the defense? (As opposed to e.g. performing the anonymous load in a new, temporary, NoScript-created Firefox container to prevent logout in the "legitimate" tab, if such is technically possible in WebExtensions.)
Looks like NoScript 11.4.23rc2 took a different approach: the anonymous load strips Cookie request headers and Set-Cookie response headers, but preserves the original cookies for subsequent loads.Giorgio Maone wrote: ↑Thu Aug 11, 2022 4:59 am That depends on the website. If they automatically assign an anonymous session id (like it happens here), it overrides the one you had and you're automatically logged out for good.
Anyway I'll investigate using containers to mitigate this side effect, thanks.
Which raises a few questions:
1) So cookies are the only thing that needs to be anonymized to fully stop this attack, and the use of Containers for the anonymous load would be overkill?
2) Does it matter that subsequent loads in the tab are not anonymized? e.g. navigating clicking a same-origin link on the anonymously-loaded tab is no longer loaded anonymously
3) Might it matter that cookies in an anonymously-loaded page are still accessible via document.cookie?
Thanks for info