Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possibility to execute document.browsingTopics() for a script HTML tag #239

Open
AurelienMozoo opened this issue Aug 28, 2023 · 3 comments

Comments

@AurelienMozoo
Copy link
Contributor

It is not possible to get topic API datas using document.browsingTopics() without using a non-friendly iframe context. It means a Javascript file https://example.com/getTopicAPIDatas.js even if the URL where the file is hosted was whitelisted after an enrollment, won't be able to execute document.browsingTopics(). Adding a non-friendly iframe that would target "https://example.com/getTopicAPIDatas.js" could have impacts on loading time of the web page or current script executions and therefore won't be the best solution.

Would it be possible to whitelist host/files that would allow javascript tags integrated directly on web pages to get topic API datas ?

Example: Considering a website "website.com" writing a javascript tag (<script src="https://example.com/getTopicAPIDatas.js">) and https://example.com is whitelisted/enrolled, https://example.com/getTopicAPIDatas.js would be able to execute document.browsingTopics().

@jkarlin
Copy link
Collaborator

jkarlin commented Aug 28, 2023

Thanks for the feedback. From a security perspective, this isn't possible. Each document and its execution environment are associated with a single origin, that of the document. Third-party subresources loaded and executed within that same environment are considered to be owned by the origin of the document. This is to prevent unconsented data leakage from one origin to another.

@patmmccann
Copy link

could have impacts on loading time of the web page or current script executions and therefore won't be the best solution.

We've found it is fine, just delay the insertion until the main thread isn't busy.

@jkarlin
Copy link
Collaborator

jkarlin commented Aug 29, 2023

An alternative is to provide a browsingTopics attribute on <script> tags. This should be clean from a security perspective, and not add additional latency.

Edit: To make it clear what I'm talking about, the browsingTopics attribute would imply that the network request for the js resource would include the topics in the request header. A con of this approach is this would discourage caching of your js.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants