Open wizeguyy opened 7 months ago
Potentially also add a warning dialog explaining that the refresh is about to load cookies/sessions and give the user the option to cancel or refresh without cookies.
I wonder if it's a bug in the code that tries to minimize these warnings that we already have.
This is a side-effect of NoScript Cross-tab Identity Leak Protection.
I have opened a ticket about it in the Tor Browser issue tracker: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42483
Short version The refresh button, after opening a cross-site URL, reloads the page with cookies which were previously not loaded. This is more than just "refreshing" the page, and I think some indication should be given to the user.
Long version When I open a cross-site link in MB, the link opens with a "clean session" (sorry if I'm using the wrong terminology) with no cookies loaded. To load cookies, e.g. if I want to open a link to a site which has an account logged in, I hit the refresh button and voila, I'm logged in. This feature is awesome, but confusing. Additionally, that first refresh button could be risky if you do not want to load cookies. e.g. what if I am viewing a github link that didn't load correctly, so I need to refresh, but I don't want to load cookies and link my logged in github user account?
Possible solution In this scenario, change the refresh icon to indicate this is more than just a page refresh. This is a page refresh and loading your sessions/cookies.
Potentially also add a warning dialog explaining that the refresh is about to load cookies/sessions and give the user the option to cancel or refresh without cookies.