pigin
pigin copied to clipboard
Published
20 hours ago •
michaelkleber
michaelkleber
User's browsing history is leaked in the Sec-CH-PIGIN header
trafficstars
I may be misunderstanding something here, but doesn't Sec-CH-PIGIN leak the user's browsing history in the form of the hostname of the caller of joinPrivateInterestGroup()?
It reveals one site that the user has probably visited or somehow interacted with recently. (See the "could be a cross-domain iframe" use case.)
The built-in mitigations are that it's only the "most valuable" site and it's only possible if a lot of people have visited it.
