Detecting if a cross-site page triggered a navigation (or didn’t) can be useful to an attacker. For example, a website may trigger a navigation in a certain endpoint depending on the status of the user. To detect if any kind of navigation occurred, an attacker can: Use an iframe and count the number of times the onload event is triggered. Check the value of history.length, which is accessible through any window reference. ...
In Chromium-based browsers, when a file was downloaded, a preview of the download process appeared in a bar at the bottom, integrated into the browser window. By monitoring the window height, attackers could detect whether the “download bar” opened: // Read the current height of the window var screenHeight = window.innerHeight; // Load the page that may or may not trigger the download window.open('https://example.org'); // Wait for the tab to load setTimeout(() => { // If the download bar appears, the height of all tabs will be smaller if (window. ...