Scroll to Text Fragment
October 1, 2020
Scroll to Text Fragment (STTF) is a new web platform feature that allows users to create a link to any part of a web page text. The fragment
#:~:text= carries a text snippet that is highlighted and brought into the viewport by the browser. This feature can introduce a new XS-Leak if attackers are able to detect when this behavior occurs. This issue is very similar to the Scroll to CSS Selector XS-Leak.
Expected & Discussed Issues #
In early discussions for the specification of this feature it was shown that several XS-Leaks could be introduced with a naïve implementation 1. The specification considers various attack scenarios 2, as does some research from Google 3. One possible XS-Leak browsers need to be aware of when implementing this feature is:
- An attacker can, by embedding a page as an
iframe, detect whether the page scrolled to the text by listening to the
onblurof the parent document. This approach is similar to the ID Attribute XS-Leak. This scenario is mitigated in the Chrome implementation 4 as it only allows the fragment navigation to occur in top-level navigations.
Current Issues #
warningThese XS-Leaks require some type of markup injection on the target page.
During the development process of STTF new attacks and tricks to detect a fragment navigation were found. Some of them still work:
- A web page that embeds an attacker-controlled
iframemight allow the attacker to determine whether a scroll to the text has occurred. This can be done using the
IntersectionObserverAPI 5 2 3.
- If a page contains images with Lazy Loading an attacker might known if a fragment navigation that included an image occurred by checking whether it was cached in the browser. This occurs because Lazy Loading images are only fetched (and cached) when they appear in the viewport.
importantScroll to Text Fragment is only available in Chrome. Its draft specification is under active discussion.
infoScroll to Text Fragment XS-Leaks allow attackers to extract 1 bit of information at a time as it’s only possible to observe whether a single word exists on the page and only when a user performed some kind of interaction with the page (e.g. mouse click).
Why is this a problem? #
Attackers can abuse STTF to leak private information about the user that is displayed on a web page.
Case Scenarios #
- A user is logged in to their National Health System website, where it is possible to access information about the user’s past diseases and health problems. An attacker can lure the user to one of their pages and use STTF to possibly infer the user’s health details. For example an attacker would find out if the victim suffers from a disease if they detect a page scroll when searching for that disease name.