I brought this kind of webpage up at W3C WebAppSec. I think such sensitive pages should not only load over https but also only load resources from one org, a.k.a. Single Trust.
-
-
I go to my healthcare provider’s page on diabetes, prostate cancer, or abortion. The page loads 3rd-parties. No sensitive leakage? 3rd-party script sends off form data in cross-origin pixel requests. No leakage?
-
First of all, you should define what you mean by "loads 3rd-parties". Images? Fonts? Frames? Stylesheets? Scripts? Scripts with SRI?
-
All of them. But real 3rd-parties, not just cross-origin with the same owner.
-
<img src="https://evil.com " referrerpolicy="no-referrer" /> What can http://evil.com do?
-
Demand a unique token in the URL. Get Referer in browsers that don't support Referer policy.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.