April 23, 2024
In Chromium-based browsers, when a file was downloaded, a preview of the download process appeared in a bar at the bottom, integrated into the browser window. By monitoring the window height, attackers could detect whether the “download bar” opened:
// Read the current height of the window var screenHeight = window.innerHeight; // Load the page that may or may not trigger the download window.open('https://example.org'); // Wait for the tab to load setTimeout(() => { // If the download bar appears, the height of all tabs will be smaller if (window.
...
October 1, 2020
Leaking the Content-Type of a request would provide attackers with a new way of distinguishing two requests from each other.
typeMustMatch # typeMustMatch is a Boolean that reflects the typeMustMatch attribute of the object element. It ensures that a certain MIME type must be enforced when loading an object, by verifying if the Content-Type of the resource is the same as the one provided in the object. Unfortunately, this enforcement also allowed attackers to leak the Content-Type and Status Codes returned by a website 1.
...
October 1, 2020
Some browser features/extensions change the way requests are processed, depending on certain website states generated by the browser. Attackers can sometimes observe the whole process and mess with the browser, triggering actions that produce side effects on those states.
WebKit – ITP # Intelligent Tracking Prevention (ITP) is a privacy feature which is part of WebKit Tracking Prevention technologies. It’s a conjunction of several features and aims to prevent a website from tracking a user under a third-party context.
...