Scroll to Text Fragment

Scroll to Text Fragment

October 1, 2020

Scroll to Text Fragment (STTF) is a new web platform feature that allows users to create a link to any part of a web page text. The fragment #:~:text= carries a text snippet that is highlighted and brought into the viewport by the browser. This feature can introduce a new XS-Leak if attackers are able to detect when this behavior occurs. This issue is very similar to the Scroll to CSS Selector XS-Leak.

Expected & Discussed Issues #

In early discussions regarding the specification of this feature it was shown that several XS-Leaks could be introduced with a naïve implementation 1. The specification considers various attack scenarios 2, as does research from Google 3. One possible XS-Leak browsers need to be aware of when implementing this feature is:

  • An attacker can, by embedding a page as an iframe, detect whether the page scrolled to the text by listening to the onblur event of the parent document. This approach is similar to the ID Attribute XS-Leak. This scenario is mitigated in the Chrome implementation 4, as it only allows fragment navigation to occur in top-level navigations.

Current Issues #

warning

These XS-Leaks require some type of markup injection on the target page.

During the development process of STTF, new attacks and tricks to detect fragment navigation were found. Some of them still work:

  • A web page that embeds an attacker-controlled iframe might allow the attacker to determine whether a scroll to the text has occurred. This can be done using the IntersectionObserver API 5 2 3.
  • If a page contains images with Lazy Loading, an attacker can detect if fragment navigation that included an image occurred by checking whether the image was cached in the browser. This works because Lazy Loading images are only fetched (and cached) when they appear in the viewport.

important

Scroll to Text Fragment is only available in Chrome. Its draft specification is under active discussion.

info

Scroll to Text Fragment XS-Leaks allow attackers to extract 1 bit of information at a time, as it’s only possible to observe whether a single word exists on the page and only when a user performed some kind of interaction with the page (e.g. a mouse click).

Why is this a problem? #

Attackers can abuse STTF to leak private information about the user that is displayed on a web page.

Case Scenarios #

A user is logged in to their National Health System website, where it is possible to access information about the user’s past diseases and health problems. An attacker can lure the user to one of their pages and use STTF to possibly infer the user’s health details. For example, an attacker would find out that the victim suffers from a disease if they detect a page scroll when searching for that disease’s name.

Defense #

Document PoliciesSameSite Cookies (Lax)COOPFraming ProtectionsIsolation Policies
✔️✔️✔️RIP 🔗 NIP

References #


  1. Privacy concerns with proposal through inducing network requests, link ↩︎

  2. Text Fragments - Security and Privacy, link ↩︎ ↩︎

  3. Scroll-to-text Fragment Navigation - Security Issues, link ↩︎ ↩︎

  4. Boldly link where no one has linked before: Text Fragments, link ↩︎

  5. Possible side-channel information leak using IntersectionObserver, link ↩︎