You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/docs/attacks/historical/_index.md
+5-5Lines changed: 5 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -5,9 +5,9 @@ weight: 11
5
5
6
6
# Historical Attacks
7
7
8
-
The articles in this section present XS-Leaks that were addressed within the browser and don't work anymore. Some of the mitigations consist of:
8
+
The articles in this section present XS-Leaks that have been addressed within browsers and no longer work. Different mitigation strategies were applied, such as:
9
9
10
-
-Reduce the accuracy of some powerful APIs.
11
-
-Add noise to a certain measurement to prevent any malicious inference from it.
12
-
-Deprecate and remove features and APIs.
13
-
-Change feature behavior.
10
+
-Reducing the accuracy of some powerful APIs.
11
+
-Adding noise to a certain measurement to prevent any malicious inference from it.
Copy file name to clipboardExpand all lines: content/docs/attacks/historical/content-type.md
+5-5Lines changed: 5 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -15,15 +15,15 @@ defenses = [
15
15
menu = "main"
16
16
+++
17
17
18
-
Leaking the Content-Type of a request could offer an attacker a new way to distinguish two requests from each other.
18
+
Leaking the Content-Type of a request would provide attackers with a new way of distinguishing two requests from each other.
19
19
20
20
## typeMustMatch
21
21
22
-
[`typeMustMatch`](https://developer.mozilla.org/en-US/docs/Web/API/HTMLObjectElement/typeMustMatch) is a boolean that reflects the `typeMustMatch` attribute of the `object` element. It ensures a certain MIME type must be enforced when loading an objectverifying if the `Content-Type` of the resource is the same as the one provided in the object. Unfortunately, this enforcement would allow attackers to leak the `Content-Type` and Status Codes returned by a website [^1]
22
+
[`typeMustMatch`](https://developer.mozilla.org/en-US/docs/Web/API/HTMLObjectElement/typeMustMatch) is a Boolean that reflects the `typeMustMatch` attribute of the `object` element. It ensures that a certain MIME type must be enforced when loading an object, by verifying if the `Content-Type` of the resource is the same as the one provided in the object. Unfortunately, this enforcement also allowed attackers to leak the `Content-Type` and Status Codes returned by a website [^1].
23
23
24
24
### Root Cause
25
25
26
-
Considering the snippet below, `not_loaded` would be rendered if the returned `Content-Type` of `https://target/api` did not match the one in `type`, or the server returned a status different than `200`.
26
+
Considering the snippet below, `not_loaded` would be rendered if the returned `Content-Type` of `https://target/api` did not match the one in `type`, or if the server returned a status different than `200`.
27
27
28
28
```html
29
29
<objecttype="application/json"
@@ -34,7 +34,7 @@ not_loaded </object>
34
34
35
35
#### Issues
36
36
37
-
An attacker could leak the `Content-Type` and Status Codes of a website by detecting whether the object rendered, which will happen when [all the conditions]({{< ref "#root-cause" >}}) are met. The attacker could check the values of `clientHeight` and `clientWidth` which will likely be different than 0 when the object renders (and returns status `200`). Since `typeMustMatch` requires the server to return status `200` to load a resource, it would be possible to detect error pages, similarly to [Error Events]({{< ref "../error-events.md" >}}) XS-Leaks.
37
+
An attacker could leak the `Content-Type` and Status Codes of a website by detecting whether the object rendered, which happens when [all conditions]({{< ref "#root-cause" >}}) are met. The attacker could check the values of `clientHeight` and `clientWidth` which are likely to be different than 0 when the object renders (and returns status `200`). Since `typeMustMatch` requires the server to return status `200` to load a resource, it would be possible to detect error pages, similar to [Error Events]({{< ref "../error-events.md" >}}) XS-Leaks.
38
38
39
39
The example below shows how this behavior could be detected by embedding an object inside an `iframe` and checking the values of `clientHeight` and `clientWidth` when the `iframe` triggers the `onload` event.
40
40
@@ -62,7 +62,7 @@ ifr.onload = () => {
62
62
63
63
### Fix
64
64
65
-
Firefox was the only browser supporting the `typeMustMatch` attribute [^2] and since no other browsers offered support, it was removed in version 68 and from the HTML Living Standard.
65
+
Firefox was the only browser that supported the `typeMustMatch` attribute [^2], and since no other browsers offered support, it was removed in version 68 and from the HTML Living Standard.
Copy file name to clipboardExpand all lines: content/docs/attacks/historical/stateful-browser-features.md
+9-9Lines changed: 9 additions & 9 deletions
Original file line number
Diff line number
Diff line change
@@ -9,28 +9,28 @@ defenses = [
9
9
menu = "main"
10
10
+++
11
11
12
-
Some browser features/extensions change the way requests are processed depending on certain website states generated by the browser. Attackers can sometimes observe the whole process and mess with the browser, triggering actions that produce side-effects on those states.
12
+
Some browser features/extensions change the way requests are processed, depending on certain website states generated by the browser. Attackers can sometimes observe the whole process and mess with the browser, triggering actions that produce sideeffects on those states.
13
13
14
-
## WebKit - ITP
14
+
## WebKit – ITP
15
15
16
-
[Intelligent Tracking Prevention](https://webkit.org/tracking-prevention/) (ITP) is a privacy feature part of [WebKit Tracking Prevention technologies](https://webkit.org/tracking-prevention/). It’s a conjunction of several features to prevent a website from tracking a user under a third-party context. Unfortunately, the initial design introduced a new XS-Leak [^1], allowing attackers to abuse the states implicitly created by ITP to classify websites as trackers.
16
+
[Intelligent Tracking Prevention](https://webkit.org/tracking-prevention/) (ITP) is a privacy feature which is part of [WebKit Tracking Prevention technologies](https://webkit.org/tracking-prevention/). It's a conjunction of several features and aims to prevent a website from tracking a user under a third-party context. Unfortunately, the initial design introduced a new XS-Leak [^1], allowing attackers to abuse the states implicitly created by ITP to classify websites as trackers.
17
17
18
18
### Root Cause
19
19
20
-
To classify whether a website has tracking capabilities, ITP collects statistics on resource loads as well as user interactions in websites such as clicks, taps, or text entries. Based on the classification of these statistics, ITP gives a strike to a website if it is believed to have tracking capabilities. After 3 strikes a website is put on a deny list and is treated differently by the browser in future requests.
20
+
To classify whether a website has tracking capabilities, ITP collects statistics on resource loads as well as on user interactions with websites such as clicks, taps, or text entries. Based on the classification of these statistics, ITP gives a strike to a website if it is believed to have tracking capabilities. After 3 strikes, a website is put on a deny list and is treated differently by the browser in future requests.
21
21
22
22
#### Issues
23
23
24
-
One of the issues of ITP is that attackers can manipulate it to arbitrarily enforce certain behaviors. For example, one could force ITP to give a strike to a domain and check if the domain entered the deny list. This could be levered in different ways, for example:
24
+
One of the issues of ITP is that attackers can manipulate it to arbitrarily enforce certain behaviors. For example, an attacker could force ITP to give a strike to a domain and check if the domain entered the deny list. This information could be leveraged in different ways, for example to:
25
25
26
-
-Leaking the user's browsing habits based off of how many strikes are necessary for a domain to enter the deny list
27
-
-Using the deny list to implement an XS-Search attack against a page that includes cross-site resources only when results are present
26
+
-Leak the user's browsing habits based on how many strikes are necessary for a domain to enter the deny list.
27
+
-Use the deny list to implement an XS-Search attack against a page that includes cross-site resources only when results are present.
28
28
29
29
### Fix
30
30
31
-
To [fix the issue](https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/), instead of relying on classifications, ITP now considers every site as a "tracking" one by default. This removes the implicit states which allowed attackers to detect certain ITP behaviors.
31
+
To [fix the issue](https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/), ITP now considers every site to be a "tracking" site by default, instead of relying on classifications. This removes the implicit states which allowed attackers to detect certain ITP behaviors.
32
32
33
33
## References
34
34
35
35
[^1]: Information Leaks via Safari’s Intelligent Tracking Prevention, [link](https://arxiv.org/pdf/2001.07421.pdf)
0 commit comments