In Chromium-based browsers, when a file was downloaded, a preview of the download process appeared in a bar at the bottom, integrated into the browser window. By monitoring the window height, attackers could detect whether the “download bar” opened:
// Read the current height of the window
var screenHeight =window.innerHeight;
// Load the page that may or may not trigger the download
window.open('https://example.org');
// Wait for the tab to load
setTimeout(() => {
// If the download bar appears, the height of all tabs will be smaller
if (window.innerHeight < screenHeight) {
console.log('Download bar detected');
} else {
console.log('Download bar not detected');
}
}, 2000);
typeMustMatch is a Boolean that reflects the typeMustMatch attribute of the object element. It ensures that a certain MIME type must be enforced when loading an object, by verifying if the Content-Type of the resource is the same as the one provided in the object. Unfortunately, this enforcement also allowed attackers to leak the Content-Type and Status Codes returned by a website 1.
Some browser features/extensions change the way requests are processed, depending on certain website states generated by the browser. Attackers can sometimes observe the whole process and mess with the browser, triggering actions that produce side effects on those states.
Intelligent Tracking Prevention (ITP) is a privacy feature which is part of WebKit Tracking Prevention technologies. It’s a conjunction of several features and aims to prevent a website from tracking a user under a third-party context. Unfortunately, the initial design introduced a new XS-Leak 1, allowing attackers to abuse the states implicitly created by ITP to classify websites as trackers.