search

w3c / IntersectionObserver

Intersection Observer
https://www.w3.org/TR/intersection-observer/
Other
3.62k stars 531 forks source link

isIntersecting leaks information cross-origin #508

Open zcorpan opened 1 year ago

zcorpan commented 1 year ago

See https://github.com/WICG/scroll-to-text-fragment/issues/79

Even without Text Fragments, IntersectionObserver (and therefore also lazy-loading images) leaks scrolling position in the parent to cross-origin iframes (e.g. ads). The iframe can use IntersectionObserver on itself and detect when the iframe comes into view in the parent.

That might be useful for e.g. ad visibility measurement and other things, but is it OK to leak the user's scroll position from a privacy perspective? Leaking text content in the parent seems not OK (issue #79), but making sites opt out of text fragment scrolling as the only measure doesn't seem ideal since most sites won't know this is an issue and won't opt out. The opt out also disables regular fragment scrolling which may not be desirable.

A more thorough measure could be to make IntersectionObserver in cross-origin iframes act as if the iframe is always visible in the parent. The parent can still communicate iframe visibility to the iframe via postMessage and we could maybe add an opt-in to the current behavior with <iframe allow="...">.

I'm not sure if there are other APIs that are similarly problematic.

cc @emilio @bokand @rniwa

emilio commented 1 year ago

You can detect scroll position / visibility of the parent as well in other ways fwiw, I think. For example we'll throttle iframes that aren't visible (I believe this is common across engines), so you can infer if you're visible by measuring the time requestAnimationFrame takes to get called.

zcorpan commented 1 year ago

OK. I assume changing that is not acceptable from a performance perspective?

Demo: https://software.hixie.ch/utilities/js/live-dom-viewer/saved/11660

Works in Firefox, Chrome, Safari. But note that in Safari the first state is showing, suggesting it's not rate-limited until the iframe is first scrolled out of view, right?

khushalsagar commented 2 months ago

OK. I assume changing that is not acceptable from a performance perspective?

Intuitively yes. We could try to measure but it seems like it would be common for a page to have below the fold iframes which are never brought onscreen because the user leaves before scrolling to them.

zcorpan commented 2 months ago

So what happens in WebKit, where the demo logs "showing" first?

zcorpan commented 1 month ago

@annevk can you comment on what WebKit does here?