Open richterdavid opened 4 years ago
The choice to make handoffs one-way was deliberate (and revisited a few times), to prevent external sites from being able to launch attacks against internal sites through the URL (eg. XSS, SQLi, etc).
We added blocked sites functionality to prevent accidentally using your credentials in the wrong browser - the regular_blacklist and risky_blacklist config keys control this, and take the same format as the other settings.
Where are the blacklist controls in the detangle UI?
On Thu, Apr 16, 2020 at 5:10 PM Michael Samuel notifications@github.com wrote:
The choice to make handoffs one-way was deliberate (and revisited a few times), to prevent external sites from being able to launch attacks against internal sites through the URL (eg. XSS, SQLi, etc).
We added blocked sites functionality to prevent accidentally using your credentials in the wrong browser - the regular_blacklist and risky_blacklist config keys control this, and take the same format as the other settings.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/google/detangle/issues/14#issuecomment-614962219, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOXGKZQGLF6UGEJIKXSHYITRM6M6TANCNFSM4MJ2PR3A .
Oh, they might only be exposed in the managed policy - I don't think it ever occurred to us that end-users would want to put their own controls in (rather than via enterprise policy).
Oh, they might only be exposed in the managed policy - I don't think it ever occurred to us that end-users would want to put their own controls in (rather than via enterprise policy).
Doooeeeit! ;-)
I would be okay with doing this via a block list, and copying URLs between browsers if the usage is legit.
Sometimes some flow ends up at a corp SSO login screen in my regular (or even isolated) profile, which if I'm not careful I may end logging into.
Sometimes I navigate from an isolated site to a site I don't want to ever open in isolated mode.
Could there be support to require certain URLs to only be opened in specific profiles? E.g., corp SSO -> corporate profile, trusted.consumer.site.com in regular profile.