Open zcorpan opened 1 year ago
The privacy issue is only for text fragments as far as I can tell.
The existence of certain element-ids is also potentially sensitive information so I wouldn't say it's only for text fragments. That said, I agree that the raw text is meaningfully different and (unlike element ids) cannot be mitigated by authors who understand the issue.
Maybe something like
Document-Policy: disable-text-fragment-scrolling
My initial hesitation to adding something like this was that a knee-jerk reaction would lead to this being blindly cargo-culted around the web, hurting usability. I think that's less of a risk at this point so this seems ok to me.
The existence of certain element-ids is also potentially sensitive information
Yes, but the behavior has existed since day 1 on the web so it should be well understood.
I think that's less of a risk at this point so this seems ok to me.
:+1:
How many web developers are asking for this distinction? I'd rather not offer this unless the existing mitigation is too prohibitive.
No data on that, this came up from internal discussion at Mozilla.
In https://github.com/WICG/scroll-to-text-fragment/pull/131 an opt out of scrolling caused by text fragment URL or fragment URL was added to address information leaks https://github.com/WICG/scroll-to-text-fragment/issues/76 and https://github.com/WICG/scroll-to-text-fragment/issues/79
I think sites may want to opt out of text fragment scrolling but not regular URL fragment scrolling. The privacy issue is only for text fragments as far as I can tell.
Maybe something like
Document-Policy: disable-text-fragment-scrolling