Offer auto-create site scope (was "Default scope for temporarily (session) whitelisting") #124
Comments
|
What you suggest was also requested in the past. I think that would be a good feature. There is currently issue #119 with auto-whitelisting in wrong scope. I will look into this while I try to figure the problem and fix. If there is one part of flakiness with HTTPSB, it is to deal with a limitation in Chrome API which prevents the request handling code to know with 100% certainty from which web page a request occurred. This flakiness is why #119. I didn't thoroughly investigate yet, but it might end up being a hairy issue to deal with, so adding auto-scope on top could aggravate things. Anyway, I think I will work on this for the next release. Another solution I thought about In the past is to offer a time-to-live for auto-whitelisted hostnames. What do you think about this one? (which could still be a useful setting I suppose even going with the auto-scope suggestion). |
|
For the record regarding auto-scope matter, just to add on how this would be a good feature, one of the beneficial effect of scoping is that smart reload will make any whitelisting/blacklisting on the page result in a reload only for the scoped page (unless of course another web page is opened with the same scope). |
|
Ah, I forgot to look in the closed tickets, my bad. A TTL would be nice addition overall! Figuring out a good default time-out is difficult to determine though. |
I wouldn't bother trying to decide for the user, I would just let them choose their own TTL, like for the cache clearing or session cookie deleting: something like "Delete auto-created scopes x minutes after they have been last used." |
No, I prefer to have a separate issue, the other suggestion was made inside another issue which makes it more difficult to track. So this issue here is specific and easy to track, so I keep it opened. |
|
I like both proposals. However, I wouldn't restrict the changed default scope to temporary whitelisting only. See also the proposal on https://www.wilderssecurity.com/showpost.php?p=2325131&postcount=241 |
Yes, I wasn't planning too. I personally wouldn't use auto-whitelist, but I definitely would use auto-scope. I am going to change the title to reflect more the feature to implement. |
My intention was not to restrict whitelisting only on the domain scope. Just change the default behavior to be on the domain scope instead of the default that is used right now which is the global scope.
Sure, no problem! |
|
Fixed in 17974e0 |
Right now with the default blocking behavior the default scope for whitelisting elements is the global scope. Wouldn't it be more secure if the default scope for temporary whitelisting of items is just the domain without a wildcard in front?
I can imagine users temporarily whitelisting f_book on some site, and forgetting that is a global whitelist. So f_book can keep track off the users for as long as the user keeps going in one session.
The text was updated successfully, but these errors were encountered: