Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible attack via redirect chain #217

Open
mgmellia opened this issue Jul 4, 2023 · 1 comment
Open

Possible attack via redirect chain #217

mgmellia opened this issue Jul 4, 2023 · 1 comment

Comments

@mgmellia
Copy link

mgmellia commented Jul 4, 2023

It is not clear to me what happens when an offending website forces the user's browser to follow a chain of redirects.
According to the documentation, "Redirects will be followed, and the topics sent in the redirect request will be specific to the redirect URL."
Can this potentially lead to an attack in which the browser follows a chain of redirects, each one letting the controlling webmaster obtain one (three) possible topics via the document.browsingTopics()?

For instance:
(visit to mysite1.com -> get 3 topics) + (redirect to mysite2.com -> get 3 topics) + (redirect to mysite3.com -> get 3 topics) + ...

With this attack, assuming the three websites are owned by the same (or colluding) organization(s), who controls mysite{X}.com gets up to 3|X| topics in a short time.
Are there any mechanisms in place to prevent this?

Moreover, which is the definition of a website within the Topics API?
Are two subdomains of the same domain considered different websites?
For example, one.example.org and two.example.org are the same or different websites?

@jkarlin
Copy link
Collaborator

jkarlin commented Jul 10, 2023

Good question.

According to the documentation, "Redirects will be followed, and the topics sent in the redirect request will be specific to the redirect URL."

This is in reference to the Topics request header, which is only sent on subresource requests and subframe navigation requests. Since those aren't top-frame navigations, the topics won't change across redirects.

That said, it would be possible to navigate the user to different sites via script in the top frame and append the various topics received as query params along the way.

If this were to become a problem, one way we could address it would be to return empty topics lists for callers on pages that were navigated to via script from a different site. I'd like to research this to understand just how much it would impact users.

Moreover, which is the definition of a website within the Topics API?

It's the eTLD+1 of the given url.

Are two subdomains of the same domain considered different websites?

Generally not, unless they are on the public suffix list.

edit: whitespace

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants