Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User's browsing history is leaked in the Sec-CH-PIGIN header #1

Open
ehsan opened this issue Aug 30, 2019 · 1 comment
Open

User's browsing history is leaked in the Sec-CH-PIGIN header #1

ehsan opened this issue Aug 30, 2019 · 1 comment

Comments

@ehsan
Copy link

ehsan commented Aug 30, 2019

I may be misunderstanding something here, but doesn't Sec-CH-PIGIN leak the user's browsing history in the form of the hostname of the caller of joinPrivateInterestGroup()?
@michaelkleber
Copy link
Owner

It reveals one site that the user has probably visited or somehow interacted with recently. (See the "could be a cross-domain iframe" use case.)

The built-in mitigations are that it's only the "most valuable" site and it's only possible if a lot of people have visited it.

@ehsan ehsan mentioned this issue Aug 30, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ehsan @michaelkleber