generated from privacycg/template
-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-site subresource tracking vulnerability #76
Comments
Agree. As mentioned in #75 chrome's implementation does clear partitions under the tracking 1P site. We need to update the spec to match. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@Trikolon raised an interesting vulnerability when thinking about partitioned iframes that generalizes to multiple types
Consider a bounce tracker
bouncer.tracker.com
that also controls a domainbounce-tracker.example.com
. Instead of maintaining state directly onbouncer.tracker.com
, they load a sub-resource frombounce-tracker.example.com
which uses URL decoration to encode the context of the bounce and uses the cookies ofbounce-tracker.example.com
to maintain a user-id.Looking at the algorithms now, the (bounce set)[https://privacycg.github.io/nav-tracking-mitigations/#bounce-tracking-record-bounce-set] would not contain
bounce-tracker.example.com
, as it is never navigated or redirected through so we don't add it in process response received for bounce tracking. Because of that, when we later record stateful bounces for bounce tracking, we don't considerbounce-tracker.example.com
. But, worse yet, we no longer havebouncer.tracker.com
to be purged either because it is never added to a storage access set . So nothing ends up purged.I think the best way to fix this is to delete CHIPS cookies (#75) and make the cookie write algorithm use the request's client's top-level origin rather than the request's origin directly.
The text was updated successfully, but these errors were encountered: