Implement text-fragments (with sufficient privacy protections)

[pes10k]

Chrome ships a feature called "Text Fragments" that allow for, effectively, automatically scrolling to text in the page. It seems useful, but has open and known privacy risks 1, 2.

Brave would like to implement, but we don't feel comfortable doing so as is. We should prompt users before respecting / scrolling to the text fragment, with browser-controlled UI asking something lilke:

Would you like to scroll to text "X" (if it exists)

1. Yes
2. No
[ ] Don't ask again for this site

If the user selects "yes", we should visibly scroll the user display to the text fragment (if it exists)

This would make it further difficult for the the linking page to use it to probe page contents, and significantly reduce the chance for user confusion / phisihing / credential stealing

[bsclifton]

cc: @rebron @anthonypkeane

[ghost]

@pes10k @bsclifton Hi all! I thought of this idea here: WICG/scroll-to-text-fragment#187

[psifertex]

None of this (Edit to add "this" being the security concerns in other related issues) seems like they would be blockers to creating links using this specification however? I frequently use this feature to send specific links to others, most of whom it will work for as they're not running brave.

I don't see why any security concerns on rendering such links would necessarily block the creation of them. Is there a different issue I'm missing that explains why that's the case?

[besserwisser]

I would also love a setting to accept the risk and don't get asked. Immediately scroll. For me the improvement in UX is worth the risk.

[yajo]

I don't think this proposal makes much sense.

The text-fragment-link has 2 ways to work:

1. Producing a new link (right-click on text and copy link to fragment).
2. Consuming a privacy link (clicking on a link that already exists).

The only part that has privacy problems AFAICS is part 1, producing a new link. You might be revealing sensitive information from that page without knowing it.

However, part 2, consuming a link, has no privacy problems at all AFAICS. If a link already exists, is already posted, and already contains instructions to land in a part of the page, then all the privacy problems already happened. There's no added privacy value in not scrolling to that part of the page.

Thus, IMHO the way Brave should handle this with proper privacy would be:

• Display the banner when the user wants to generate the link. The user is aware of the privacy problems and can make a decision.
• Support scrolling to links out of the box, without any annoying banner.

[pirate]

It's the opposite @yajo, producing a link is not the security concern. Viewing a link can potentially reveal whether the given text is present on the page to an attacker that can sniff DNS traffic. See here for an explanation: https://web.dev/articles/text-fragments#security

[yajo]

an attacker that can sniff DNS traffic

🤔 After reading the whole thing (without AI!) IIUC, if the page you visit implements lazy image loading, is big enough, the searched text is down enough, and has a lot of images, and each of them belongs to a different domain, and Brave or the OS didn't cache the DNS answer yet (maybe because of private browsing, or the DNS has a very low TTL, or it's really the 1st time visited), and the IP from where you ask the DNS server is meaningful enough (not from an airport) you potentially can know more or less what portion of the page is the one where the user is going... Or if the text is something like "log out" and the log out button happens to exist at the footer of an extremely long page that is full of images that come from different domains, and you can sniff all DNS traffic... you can know the IP of the user that is going to that place and... do what? How many users can share the same IP? How is it different than if the "log out" button has an id=log-out and you click on site.example.com#log-out?

Or maybe you meant HTTP traffic instead. Well, HTTP traffic has some bigger exposure to the issue... But you could forbid the feature only on non-HTTPS sites for example. It's supposed that, with HTTPS, you already trust the site serving you the contents and there's no MITM. If there were one, this would be the lesser problem.

Honestly, I think that the weight of the dangers involved is so very low as compared to the benefits of the feature. Disabling it without any possibility to re-enable it is a bit too much...

And, if there's no danger in generating one of those links, at least having that would be good.

I'm nobody here, just an opinion. I'm probably wrong in many points. Thanks for Brave and for being so careful about security and privacy in any case! ❤

[valynor]

As a side note: Safari recently added "copy link with highlight", too.