-
-
Notifications
You must be signed in to change notification settings - Fork 381
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detect etag supercookies #2136
Comments
Some relevant reading:
The situation on Apache is more complicated:
Questions:
|
See also #616 (comment) |
For reference, here's Privacy Possum's implementation: https://github.com/cowlicks/privacypossum/blob/4709d1da72bb142c2a08ec2ca1644e81bd0e808e/src/js/reasons/etag.js Their approach requires storing etag data after the first observation, so we'd need a pretty big new persistent data structure. |
@bcyphers bump! any progress on this? If not, I would like to take a stab at it. Thanks :) |
other extensions aside from Privacy Possum that block etags that I've seen in the past: etag stoppa and ClearURLS |
Those two extensions just block etags outright, which will cause a very substantial performance impact. It should be possible to come up with a much better algorithm, that allows through etags that are a last modified time and content length. |
Etags can be used as supercookies. Detecting them is not totally trivial, because they are a multi-purpose technology that can be used innocently, but the fact that Nginx and Apache have standard recipes for setting them means that we should in principle be able to detect and act upon their non-standard uses.
The text was updated successfully, but these errors were encountered: