Allow logged-in users to bypass the allow-list #120
Comments
seanh
added this to the
Reduce friction of annotating not-yet-allowed sites with public Via milestone
|
Duplicate of #119 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If a user is logged-in to h then allow them to bypass the allow-list and proxy any page
If a user is not logged-in they will still get blocked by the allow-list, but the block page will now tell them that they can annotate the site if they log in or sign up (with either a link to a log in / sign up form or even one directly in the page)
The blocklist will still apply, even to logged-in users
Pros
This should still prevent Via from being abused for phishing, malware, etc because unauthenticated users will see a Hypothesis page not the phishing or malware page
This would remove allow-list-created friction entirely for authenticated users.
Cons
When an authenticated user shares a Via link and unauthenticated users click on it (or when an unauthenticated user just tries to use Via directly) there will still be some friction: the unauthenticated user will be asked to log in or sign up. But that may be the lowest-friction we can actually manage?
Users who are logged in to Hypothesis would be vulnerable to Via-based phishing/malware/etc :) However, various other ideas that we've had could help to mitigate this: opening the sidebar automatically in Via; showing a banner; preventing following links or submitting forms within Via, etc etc. See the Prevent unwanted uses of Via milestone
The text was updated successfully, but these errors were encountered: