A step to increase it-security is segmenting client-side (cookie) storage: https://github.com/privacycg/storage-partitioning
"User agent state that is keyed by a single origin or site is an acknowledged privacy and security bug. Through side-channels or more directly, this allows:
- A
top-level site
https://site-a.exampleA to infer that a user is also visiting top-level sitehttps://site-b.exampleB, by embedding resources or documents from B in A. Beyond visiting, it can also allow A to infer specific state from B that depends on the user, thereby revealing many aspects of the user. Timing Attacks on Web Privacy, XS-Leaks, and COSI discuss this in more detail. - Conversely,
it allows a site
https://tracker.examplewhose resources might be embedded on many different sites, to track the end user across these sites.
To solve a key aspect of this, any such user agent state needs to be keyed by more than a single origin or site.
There are many standards that together make up a user agent and many of these standards define “problematic” state. This repository’s issue tracker is where we're coordinating the effort to address these issues in an ideally holistic manner. The actual changes will happen in each impacted standard and are collated here for visibility."
Therefore Mozilla Firefox has started Total Cookie Protection in version 86. In Mozillas blog post is a nice picture, which explains the principle of client-side cookie storage partitioning:
No comments:
Post a Comment