All of them. But real 3rd-parties, not just cross-origin with the same owner.
-
-
Replying to @johnwilander @sleevi_ and
<img src="https://evil.com " referrerpolicy="no-referrer" /> What can http://evil.com do?
3 replies 0 retweets 1 like -
Replying to @arturjanc @sleevi_ and
<img src=”evildotcom/storeForTrackingCookieThatThisGuyIsWorriedAboutProstateCancer/dummy.jpg” referrerpolicy=“no-referrer” />
1 reply 1 retweet 0 likes -
Replying to @johnwilander @sleevi_ and
Aren't you confusing "the page loads third-party resources" with "the developer has gone out of their way to send data about your interaction with their site to a third-party in a way that is completely independent of the platform"?
1 reply 0 retweets 3 likes -
Replying to @arturjanc @sleevi_ and
I’m assuming a script dynamically creating these image resource loads. I’m just going after a simple, technical restriction for particularly sensitive pages. Nothing more.
1 reply 0 retweets 0 likes -
Replying to @johnwilander @sleevi_ and
If the site owner wrote the script why wouldn't they share the same data via a server-side request? It will be stealthier, and it's the same amount of code for them (one line). If someone else wrote the script and the site owner doesn't want to run it, why is it on their page?
1 reply 0 retweets 1 like -
Replying to @arturjanc @johnwilander and
I totally think your goal is laudable, but it's very difficult to see how this would work without the developer opting their sensitive site into this mode. And such a developer already has enough control over their site to make it not do what you're worried about.
1 reply 0 retweets 2 likes -
Replying to @arturjanc @johnwilander and
Conversely, a developer who wants to share your data with a third party can do so with a backend request and there is no way for your browser to know about this. Your U-A might tell you a nice story it cannot in any way verify.
1 reply 0 retweets 3 likes -
Replying to @arturjanc @sleevi_ and
This all comes down to liability, which is what it’s all about. I go to A’s website. A) They proxy stuff and leak my data. I go after A. B) They embed XYZ like everyone else and XYZ leak my data. I go after A. A says “We had no idea!” I have no play.
1 reply 0 retweets 0 likes -
Replying to @johnwilander @sleevi_ and
Two questions: 1) Would a site "have any idea" about sharing data if the same happened in a server-side module they installed? 2) How would you learn about this if it happens purely offline? Sadly, it seems difficult to have a constructive technical discussion about either one.
1 reply 0 retweets 0 likes
One other thing to note is that if offline sharing becomes more popular, users lose more control. Backend request may be over HTTP, data may be tied to your profile on the site, you can't reset your identifier, etc. I'd be wary of pushing developers in that direction.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.