When you have multiple tabs open in a browser

• They are normally all active (you can be in one tab while youtube is playing in another)
• If tabs are in the same domain, they are sharing the cookie file
• Browsers allow one tab to see and update other tabs
  • This is how other password managers can put an extension in a browser that fills in the username and password
  • They do have to imitate the communication from the real tab in order to succeed
  • They don't have to be the same domain
  • Banks are now requiring 2-step verification to intercept this and Man In The Browser attacks

At 3rdKey, we don't want other tabs to be able to communicate with our server. We don't want them to have the opportunity to imitate the communication and possibly fool the server. But we also don't want to force you to do 2-step verification every time you ask to see anything on 3rdKey.com.

Therefore, when you open a link in a new tab, we don't allow that new tab to know anything about the encryption keys that we're using, and so that tab is unable to exchange information with the server.

How do we do this?