Merge branch 'master' into hidden-download-detection

xsleaks · Apr 23, 2024 · 707e157 · 707e157
2 parents a4361b0 + 84c9df7
commit 707e157
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 25 deletions.
diff --git a/content/docs/attacks/historical/download-bar.md b/content/docs/attacks/historical/download-bar.md
@@ -0,0 +1,39 @@
++++
+title = "Download Bar"
+description = ""
+date = "2024-04-23"
+category = "Historical"
+abuse = [
+    "Downloads"
+]
+defenses = [
+    "Deprecation"
+]
+menu = "main"
++++
+
+In Chromium-based browsers, when a file was downloaded, a preview of the download process appeared in a bar at the bottom, integrated into the browser window. By monitoring the window height, attackers could detect whether the "download bar" opened:
+
+
+```javascript
+// Read the current height of the window
+var screenHeight = window.innerHeight;
+// Load the page that may or may not trigger the download
+window.open('https://example.org');
+// Wait for the tab to load
+setTimeout(() => {
+    // If the download bar appears, the height of all tabs will be smaller
+    if (window.innerHeight < screenHeight) {
+      console.log('Download bar detected');
+    } else {
+      console.log('Download bar not detected');
+    }
+}, 2000);
+```
+
+{{< hint important >}}
+This attack was only possible in Chromium-based browsers with automatic downloads enabled. In addition, the attack can't be repeated since the user needs to close the download bar for it to be measurable again.
+{{< /hint >}}
+
+### Fix
+Chromium moved away from a download bar, They explain why in the blog post [Redesigning Chrome downloads](https://blog.chromium.org/2023/08/redesigning-chrome-downloads-to-keep.html) it helps create a clearer separation of trusted browser UI from web content among other reasons.
diff --git a/content/docs/attacks/navigations.md b/content/docs/attacks/navigations.md
@@ -35,31 +35,6 @@ To detect if any kind of navigation occurred, an attacker can:
 
 When an endpoint sets the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header, it instructs the browser to download the response as an attachment instead of navigating to it. Detecting if this behavior occurred might allow attackers to leak private information if the outcome depends on the state of the victim's account.
 
-### Download bar
-
-In Chromium-based browsers, when a file is downloaded, a preview of the download process appears in a bar at the bottom, integrated into the browser window. By monitoring the window height, attackers can detect whether the "download bar" opened:
-
-
-```javascript
-// Read the current height of the window
-var screenHeight = window.innerHeight;
-// Load the page that may or may not trigger the download
-window.open('https://example.org');
-// Wait for the tab to load
-setTimeout(() => {
-    // If the download bar appears, the height of all tabs will be smaller
-    if (window.innerHeight < screenHeight) {
-      console.log('Download bar detected');
-    } else {
-      console.log('Download bar not detected');
-    }
-}, 2000);
-```
-
-{{< hint important >}}
-This attack is only possible in Chromium-based browsers with automatic downloads enabled. In addition, the attack can't be repeated since the user needs to close the download bar for it to be measurable again.
-{{< /hint >}}
-
 ### Download Navigation (without Lax cookies)
 
 Another way to test for the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header is to check if a navigation occurred. If a page load causes a download, it does not trigger a navigation and the window stays within the same origin. [Run demo](https://xsinator.com/testing.html#Download%20Detection)