[FIXED] Cross-tab identity leak protection warning about a site potentially attacking itself
Posted: Tue Jun 27, 2023 4:47 pm
Firefox 114.0.2
NoScript 11.4.23rc5
new profile
STR:
1) about:preferences > General > Tabs, check "When you open a link, image or media in a new tab, switch to it immediately"
2) when installing NoScript be sure to enable "Allow this extension to run in Private Windows"
3) NoScript Options > Advanced, Cross-tab identity leak protection "Enabled everywhere" and "Prompt before anonymizing any request"
4) visit any page on https://forums.informaction.com/
5) NoScript Options > Per-site Permissions, set informaction.com and mozilla.org Trusted
6) visit viewtopic.php?t=26871, open the bugzilla link Giorgio posted there in a new tab
7) open in a new tab the link back to that thread ("suggested here") (so now there are two tabs open to that thread)
8) select "Load normally" on the expected cross-tab identity leak protection warning
9) close the last opened tab, then repeat (7)
At this point, NoScript throws the following cross-tab identity leak protection -
Umm. If forums.informaction.com wanted to determine my identity on forums.informaction.com, surely there must be an easier way than trying to perform the cross-tab identity leak attack on itself, no? 
Why is this warning happening?
(This is not a regression in latest dev build - it also happens with rc4)
NoScript 11.4.23rc5
new profile
STR:
1) about:preferences > General > Tabs, check "When you open a link, image or media in a new tab, switch to it immediately"
2) when installing NoScript be sure to enable "Allow this extension to run in Private Windows"
3) NoScript Options > Advanced, Cross-tab identity leak protection "Enabled everywhere" and "Prompt before anonymizing any request"
4) visit any page on https://forums.informaction.com/
5) NoScript Options > Per-site Permissions, set informaction.com and mozilla.org Trusted
6) visit viewtopic.php?t=26871, open the bugzilla link Giorgio posted there in a new tab
7) open in a new tab the link back to that thread ("suggested here") (so now there are two tabs open to that thread)
8) select "Load normally" on the expected cross-tab identity leak protection warning
9) close the last opened tab, then repeat (7)
At this point, NoScript throws the following cross-tab identity leak protection -
Code: Select all
You are about to load a page from informaction.com.
If you are a informaction.com logged-in user, information about your identity might be acquired by informaction.com.Why is this warning happening?
(This is not a regression in latest dev build - it also happens with rc4)