You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If a user is logged-in to h then allow them to bypass the allow-list and proxy any page
If a user is not logged-in they will still get blocked by the allow-list, but the block page will now tell them that they can annotate the site if they log in or sign up (with either a link to a log in / sign up form or even one directly in the page)
The blocklist will still apply, even to logged-in users
Pros
This should still prevent Via from being abused for phishing, malware, etc because unauthenticated users will see a Hypothesis page not the phishing or malware page
This would remove allow-list-created friction entirely for authenticated users.
Cons
When an authenticated user shares a Via link and unauthenticated users click on it (or when an unauthenticated user just tries to use Via directly) there will still be some friction: the unauthenticated user will be asked to log in or sign up. But that may be the lowest-friction we can actually manage?
Users who are logged in to Hypothesis would be vulnerable to Via-based phishing/malware/etc :) However, various other ideas that we've had could help to mitigate this: opening the sidebar automatically in Via; showing a banner; preventing following links or submitting forms within Via, etc etc. See the Prevent unwanted uses of Via milestone
If a user is logged-in to h then allow them to bypass the allow-list and proxy any page
If a user is not logged-in they will still get blocked by the allow-list, but the block page will now tell them that they can annotate the site if they log in or sign up (with either a link to a log in / sign up form or even one directly in the page)
The blocklist will still apply, even to logged-in users
Pros
This should still prevent Via from being abused for phishing, malware, etc because unauthenticated users will see a Hypothesis page not the phishing or malware page
This would remove allow-list-created friction entirely for authenticated users.
Cons
When an authenticated user shares a Via link and unauthenticated users click on it (or when an unauthenticated user just tries to use Via directly) there will still be some friction: the unauthenticated user will be asked to log in or sign up. But that may be the lowest-friction we can actually manage?
Users who are logged in to Hypothesis would be vulnerable to Via-based phishing/malware/etc :) However, various other ideas that we've had could help to mitigate this: opening the sidebar automatically in Via; showing a banner; preventing following links or submitting forms within Via, etc etc. See the Prevent unwanted uses of Via milestone