Bengaluru, NFAPost: This browser feature enables anyone to tag deep links to web documents unlike the conventional method wherein only the site owner or author was allowed to create anchors for a specific piece of text.
According to Google’s illustration, the new feature works like a “link-creator to specify which portion of the page is interesting, without relying on author annotations.”
Here is how the feature can be embedded into any URL: “[https://en.wikipedia.org/wiki/Cat#:~:text=On islands, birds can contribute as much as 60% of a cat’s diet] This loads the page for Cat, highlights the specified text, and scrolls directly to it.”
Although ScrollToTextFragment proves to be handy for highlighting interesting and useful content on a website, security experts are hinting at an inadvertent exploit hidden within this feature.
Here is what Peter Snyder, a privacy researcher at Brave Browser, explains to Forbes: “Consider a situation where I can view DNS traffic (e.g. company network), and I send a link to the company health portal, with [the anchor] #:~:text=cancer. On certain page layouts, I might be able [to] tell if the employee has cancer by looking for lower-on-the-page resources being requested.”
Snyder reaffirms this argument in his recent tweet, suggesting that the feature inadvertently breaches its safety limits: It may be recalled that the internet was abuzz with several privacy concerns prior to the release of Chrome 80 update. But, Google has still gone ahead with the release.
The latest example of WICG work being treated as standard in all but name:
“Scroll To Text Fragment” is shipped unflagged in Chrome 80. It’s not a standard, it has an open PING security / privacy issue filed, and it imposes privacy risk on existing websites. https://t.co/zAUbOTWcCT
— pes (@pes10k) February 18, 2020
Here is what Mozilla’s David Baron commented in a Github post ahead of the release: “My high-level opinion here is that this a really valuable feature, but it might also be one where all of the possible solutions have major issues/problems. So I think the question we should think about is how the problems of the solution chosen here compare to the problems of other options and how they compare to the value of the feature.”
Chromium Engineer David Bokan has also expressed his security concerns regarding the ‘ScrollToTextFragment’ browser capability, in the same Github thread.
“We discussed this and other issues with our security team and, to summarise, we understand the issue but disagree on the severity so we’re proceeding with allowing this without requiring opt-in (though we are still working on adding an opt in/out).”
The lack of opt-in and opt-out options could really upset several Chrome users who have privacy concerns over its use. It is, however, a blessing in disguise that the feature is currently limited to Chrome browser.
