Hi there,
I think Tabliss don't be a source of user information's "leak".
But actually request are made like regular request and give some useless header and even save cookies (what is illegal in Europe without consent)
We probably don't need to save cookies and send their header :
User-Agent
Accept-Language
Origin
Cookie
Example with Unsplash request header, we can see useless header field and saved cookie.
Another example, this partial response to Tabliss addon from Unsplash, set a cookie for all their domains:
GET /photo-1486520299386-6d106b22014b<REMOVED_CONTENT> HTTP/2
HTTP/2 200 OK
set-cookie: ugid=0357fbd26c9<REMOVED>391df5603878;domain=.unsplash.com;path=/;expires=Wed, 10 Apr 2024 16:22:46
...
And if I made a request from my self on another tab to https://unsplash.com, we see the same cookie as set from Tabliss :
GET / HTTP/2
Cookie: ugid=0357fbd26c9<REMOVED>391df5603878
There is important ? Yes
Firstly, like I said, in Europe cookies without consent are illegal.
Secondly, Tabliss users are not aware about their information leakage
Hi there, I think Tabliss don't be a source of user information's "leak". But actually request are made like regular request and give some useless header and even save cookies (what is illegal in Europe without consent)
We probably don't need to save cookies and send their header :
Example with Unsplash request header, we can see useless header field and saved cookie.
Another example, this partial response to Tabliss addon from Unsplash, set a cookie for all their domains:
And if I made a request from my self on another tab to https://unsplash.com, we see the same cookie as set from Tabliss :
There is important ? Yes Firstly, like I said, in Europe cookies without consent are illegal.
Secondly, Tabliss users are not aware about their information leakage