The possibility of examining the contents of cross-origin documents by attempting to load them with different known hashes and then triggering the reporting behavior (or noticing that navigation in an <iframe> has not taken place) seems like a fairly significant issue, right? It feels that it would make it considerably easier to fingerprint user state across a large number of sites, compared to previously demonstrated approaches. What would be the behavior of clicking on a non-download link with the integrity parameter specified? What would happen if this link is opened in a new window? It seems that it may be difficult to behave consistently in this case (e.g., how to handle right-click + "open in an incognito window" in Chrome?). /mzReceived on Wednesday, 8 January 2014 16:39:48 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC