Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow authenticated users to bypass the allow-list #119

Open
seanh opened this issue Jan 14, 2021 · 1 comment
Open

Allow authenticated users to bypass the allow-list #119

seanh opened this issue Jan 14, 2021 · 1 comment
Labels
Via Allow-list Friction Ideas for reducing friction caused by Via's allow-list

Comments

@seanh
Copy link
Contributor

seanh commented Jan 14, 2021

  1. If a user is logged-in to h then allow them to bypass the allow-list and proxy any page

  2. If a user is not logged-in they will still get blocked by the allow-list, but the block page will now tell them that they can annotate the site if they log in or sign up (with either a link to a log in / sign up form or even one directly in the page)

  3. The blocklist will still apply, even to logged-in users

Pros

  • This should still prevent Via from being abused for phishing, malware, etc because unauthenticated users will see a Hypothesis page not the phishing or malware page

  • This would remove allow-list-created friction entirely for authenticated users.

Cons

  • When an authenticated user shares a Via link and unauthenticated users click on it (or when an unauthenticated user just tries to use Via directly) there will still be some friction: the unauthenticated user will be asked to log in or sign up. But that may be the lowest-friction we can actually manage?

  • Users who are logged in to Hypothesis would be vulnerable to Via-based phishing/malware/etc :) However, various other ideas that we've had could help to mitigate this: opening the sidebar automatically in Via; showing a banner; preventing following links or submitting forms within Via, etc etc. See the Prevent unwanted uses of Via milestone
@seanh seanh added this to the Reduce friction of annotating not-yet-allowed sites with public Via milestone Jan 14, 2021
This was referenced Jan 14, 2021
Closed
Closed
@robertknight
Copy link
Member

Users who are logged in to Hypothesis would be vulnerable to Via-based phishing/malware/etc :)

We could perhaps add some kind of interstitial page that is presented to logged-in users telling them that they are about to visit a proxied page. Conceptually this would serve a similar purpose to a Via banner, but it would be more visible.

In other words, the various flows of visitors would be like this:

Any user visits allowed page: Visit proxied URL => Proxied page presented
Logged-out user visits non-allowed page: Visits proxied URL => Prompted to signup / log in => Proxied page presented
Logged-in user visits not-allowed page: Visits proxied URL => Shown interstitial page with a button to continue => Proxied page presented

@seanh seanh added the Via Allow-list Friction Ideas for reducing friction caused by Via's allow-list label Feb 15, 2021
@seanh seanh removed this from the Ideas: Reduce friction of annotating not-yet-allowed sites with public Via milestone Feb 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Via Allow-list Friction Ideas for reducing friction caused by Via's allow-list
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robertknight @seanh