Skip to content

Cross-tab Identity Leak Protection doesn't show when TabGuard is used

What the user experiences, and STR:

  • log in twitter.com
  • open another tab and load mullvad.net
  • in the mullvad.net footer, click on the twitter link
  • the twitter page open as not logged into twitter
  • refresh the page or click on the login link, twitter is now shown logged in

What happens is that "when triggered, i.e. on cross-site requests across related tabs, TabGuard removes the authentication headers from the request and shows a red TG badge near its icon."

As we don't have the NoScript webextension icon in the Tab Bar, the user is never warned that the page is loaded stateless until the user refresh the page or trigger a page load by clicking on a link.

@ma1 suggest to maybe having "something" (what?) in the security level badge for this more common and *almost* seamless thing

Ping @donuts

(In the grand scheme of things, this has low impact on users, but will make the overall experience less convenient and more confusing)

See: https://noscript.net/usage/#crosstab-identity-leak-protection

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information