Still, no browser has abandoned padlock/green bar. And as I said at the WebAppSec meeting, password and contact auto fill should really only work on Single Trust pages.
-
-
Demand a unique token in the URL. Get Referer in browsers that don't support Referer policy.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
<img src=”evildotcom/storeForTrackingCookieThatThisGuyIsWorriedAboutProstateCancer/dummy.jpg” referrerpolicy=“no-referrer” />
-
Aren't you confusing "the page loads third-party resources" with "the developer has gone out of their way to send data about your interaction with their site to a third-party in a way that is completely independent of the platform"?
-
I’m assuming a script dynamically creating these image resource loads. I’m just going after a simple, technical restriction for particularly sensitive pages. Nothing more.
-
If the site owner wrote the script why wouldn't they share the same data via a server-side request? It will be stealthier, and it's the same amount of code for them (one line). If someone else wrote the script and the site owner doesn't want to run it, why is it on their page?
-
I totally think your goal is laudable, but it's very difficult to see how this would work without the developer opting their sensitive site into this mode. And such a developer already has enough control over their site to make it not do what you're worried about.
-
Conversely, a developer who wants to share your data with a third party can do so with a backend request and there is no way for your browser to know about this. Your U-A might tell you a nice story it cannot in any way verify.
-
This all comes down to liability, which is what it’s all about. I go to A’s website. A) They proxy stuff and leak my data. I go after A. B) They embed XYZ like everyone else and XYZ leak my data. I go after A. A says “We had no idea!” I have no play.
-
Two questions: 1) Would a site "have any idea" about sharing data if the same happened in a server-side module they installed? 2) How would you learn about this if it happens purely offline? Sadly, it seems difficult to have a constructive technical discussion about either one.
- 1 more reply
New conversation -
-
-
Recent attacks use keyboard/moise events to do stuff like send form contents. It’s not about referer. What about these contexts?
-
Lukasz-- Your scenario describes the case where the 3rd party has the ability to run script in the first party domain. Artur's point is that there are ways to include resources that are inherently less powerful and less impactful to privacy.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.