Cross-tab Identity Leak Protection doesn't show when TabGuard is used
What the user experiences, and STR:
- log in twitter.com
- open another tab and load mullvad.net
- in the mullvad.net footer, click on the twitter link
- the twitter page open as not logged into twitter
- refresh the page or click on the login link, twitter is now shown logged in
What happens is that "when triggered, i.e. on cross-site requests across related tabs, TabGuard removes the authentication headers from the request and shows a red TG badge near its icon."
As we don't have the NoScript webextension icon in the Tab Bar, the user is never warned that the page is loaded stateless until the user refresh the page or trigger a page load by clicking on a link.
@ma1 suggest to maybe having "something" (what?) in the security level badge for this more common and *almost* seamless thing
Ping @donuts
(In the grand scheme of things, this has low impact on users, but will make the overall experience less convenient and more confusing)
See: https://noscript.net/usage/#crosstab-identity-leak-protection