> Can a web page (and scripts it may be running) loaded in a given
> browser tab interfere in any way with the content of another tab?
Only if it's same origin with that tab, or the content of the other tab
opts-in for some form of cross-domain communication, or it's been opened
with window.open() by a script in this tab or viceversa (in the latter
cases it has an handle to the window of the other tab, either as the
return value of window.open() or as the window.opener property, but it
cannot actually touch the content unless it's same domain).
Please notice that the Tor Browser provides even stronger guarantees of
inter-tab insulation, but I'd dare say even those provided by vanilla
Firefox are enough for our case.
Of course, any tab can open an alert box saying "Verification
Successful", but it cannot overlay a different tab and, most important,
cannot detect any hint that the verification is happening, since it
happens in the extension, rather than in the content page (ideally, as
soon as e10s is ready, it would even happen in a separate process).
At any rate, since the extension would be "allmighty", we can implement
any UI-level strategy (e.g. going full screen or topmost on the windows
stack) to ensure nothing else can tamper with user's perception.
-- G
On 08/07/2015 02:16, intrigeri wrote:
> Hi,
>
> Giorgio Maone wrote (07 Jul 2015 23:24:07 GMT) :
>> So, just to be clear, *web pages cannot interfere in any way* with the
>> result of the verification performed by the browser add-on, except if
>> there are bugs in the add-on itself (very unlikely, since its code is
>> gonna be relatively simple and high-level) or in the hosting browser
>> (less unlikely, as we know that sh*t happens) .
> Thanks a lot for this clarification. Good to know!
>
> For completeness' sake, let me ask another one:
>
> Can a web page (and scripts it may be running) loaded in a given
> browser tab interfere in any way with the content of another tab?
>
> (Here, I'm defining "content" as "whatever the user sees". E.g.
> detecting that the verification process is ongoing, and displaying
> a "Verification successful" overlay or dialog box counts as
> interfering in this context: most users won't know that such an
> overlay or dialog box has a different origin and shall not
> be trusted.)
>
>> This said as an expert of browser technology and web security :)
> Yay :)
>
> Cheers,
--
Giorgio Maone
https://maone.net