Hidden download detection #162
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terjanq
reviewed
May 1, 2024
terjanq
reviewed
May 1, 2024
content/docs/attacks/navigations.md
Outdated
| @@ -35,7 +35,7 @@ To detect if any kind of navigation occurred, an attacker can: | |||
|
|
|||
| When an endpoint sets the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header, it instructs the browser to download the response as an attachment instead of navigating to it. Detecting if this behavior occurred might allow attackers to leak private information if the outcome depends on the state of the victim's account. | |||
|
|
|||
| ### Download Navigation (with iframes) | |||
| ### Download Navigation (without Lax cookies) | |||
There was a problem hiding this comment.
I wouldn't change the headings since if they're linked somewhere then the links will stop working after the changes. Instead, it's probably worth adding hintboxes about the cookie types. Also, I think that it would be worth incorporating into the text how the sandboxed iframe helps in detecting the download.
There was a problem hiding this comment.
- Added the headings back.
- I think stuff about cookie types is meant to go in https://xsleaks.dev/docs/defenses/opt-in/same-site-cookies/
- Added text about why a sandboxed iframe is used.
terjanq
approved these changes
Jul 6, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds sandbox to
Download Navigation (with iframes)to prevent a download, with comment about usingwindow.openinside it.