search

google / detangle

Apache License 2.0
170 stars 16 forks source link

force URLs to specific profiles #14

Open richterdavid opened 4 years ago

richterdavid commented 4 years ago

Sometimes some flow ends up at a corp SSO login screen in my regular (or even isolated) profile, which if I'm not careful I may end logging into.

Sometimes I navigate from an isolated site to a site I don't want to ever open in isolated mode.

Could there be support to require certain URLs to only be opened in specific profiles? E.g., corp SSO -> corporate profile, trusted.consumer.site.com in regular profile.

therealmik commented 4 years ago

The choice to make handoffs one-way was deliberate (and revisited a few times), to prevent external sites from being able to launch attacks against internal sites through the URL (eg. XSS, SQLi, etc).

We added blocked sites functionality to prevent accidentally using your credentials in the wrong browser - the regular_blacklist and risky_blacklist config keys control this, and take the same format as the other settings.

richterdavid commented 4 years ago

Where are the blacklist controls in the detangle UI?

On Thu, Apr 16, 2020 at 5:10 PM Michael Samuel notifications@github.com wrote:

The choice to make handoffs one-way was deliberate (and revisited a few times), to prevent external sites from being able to launch attacks against internal sites through the URL (eg. XSS, SQLi, etc).

We added blocked sites functionality to prevent accidentally using your credentials in the wrong browser - the regular_blacklist and risky_blacklist config keys control this, and take the same format as the other settings.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/google/detangle/issues/14#issuecomment-614962219, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOXGKZQGLF6UGEJIKXSHYITRM6M6TANCNFSM4MJ2PR3A .

therealmik commented 4 years ago

Oh, they might only be exposed in the managed policy - I don't think it ever occurred to us that end-users would want to put their own controls in (rather than via enterprise policy).

crankyoldgit commented 4 years ago

Oh, they might only be exposed in the managed policy - I don't think it ever occurred to us that end-users would want to put their own controls in (rather than via enterprise policy).

Doooeeeit! ;-)

richterdavid commented 4 years ago

I would be okay with doing this via a block list, and copying URLs between browsers if the usage is legit.