Change the web browsers. Firewall sites from each other in the browser. Any http authentication / cookies / SSL Client certificates used to access a site or that were created by a site must not be acessable or usable from another site for anything.
While we're at it. Allow users to clear HTTP authentication passwords and SSL client authentication or better yet, clear them when the user closes the last page that uses them.
This caching of authentication while any browser instance keeps running is dangerous and, for most users, unexpected.
Slashdot Mirror
Change the web browsers. Firewall sites from each other in the browser. Any http authentication / cookies / SSL Client certificates used to access a site or that were created by a site must not be acessable or usable from another site for anything.
While we're at it. Allow users to clear HTTP authentication passwords and SSL client authentication or better yet, clear them when the user closes the last page that uses them.
This caching of authentication while any browser instance keeps running is dangerous and, for most users, unexpected.