Strict Site Isolation Loses Mouse Clicks On WordPress Site Notification Pop-Ins


#1

I tried the new Strict Site Isolation (love the idea) on Linux Brave, but I find that it makes WordPress site notification window processes inactive to mouse clicks. I found this on 3rd-party sites that use WordPress under their own domains. I can click the WordPress notification button in the WordPress header/banner near the top of the page, and a “pop-in” notification window deploys as normal, but that window is not interactive with the mouse. I think the pop-in MAY be defined as a separate site in some ways, and is not being allowed to be an isolation exception. I do have third-party cookies enabled for the site (required for WordPress site to have the WordPress banner). Possible solutions are to allow cookie-allowed sites to violate isolation in general, make that a setting, give per-site settings an option to turn off isolation, etc.

Love the idea of strict site isolation and hope this works.

Throwing in another security issue, too. It seems that YouTube fullscreen allowance can somehow cross-site to other sites upon startup, so that they try to fullscreen on startup, too. So there is either something wrong with basic URL isolation of fullscreen on startup, or YouTube in particular has some buggy exception in the permission code that extends its exception to other sites on startup. This is a biggie, because I believe fullscreen is a primary avenue of malicious setting changes under plausible user clicks on social media right now. Anyway, I appreciate the Brave sees fullscreen and cross-site as the serious security issues they are.

Here is the Brave version where these things were observed.

Brave: 0.23.39
V8: 6.7.288.46
rev: 3ee14b026f09d7d71c1985b4a9c9a11d78ab8f49
Muon: 7.1.6
OS Release: 4.4.0-130-generic
Update Channel: Release
OS Architecture: x64
OS Platform: Linux
Node.js: 7.9.0
Brave Sync: v1.4.2
libchromiumcontent: 67.0.3396.103