User:Sohom Datta/lcsl

Cross-site leaks, also known as XS-leaks, are a class of attacks used to access a user's sensitive information on another website. Cross-site leaks allow an attacker to access a user's interactions with other websites. This can contain sensitive information. Web browsers normally stop other websites from seeing this information. This is enforced through a set of rules called the same-origin policy. Attackers can sometimes get around these rules, using a "cross-site leak". Attacks using a cross-site leak are often initiated by enticing users to visit the attacker's website. Upon visiting, the attacker uses malicious code on their website to interact with another website. This can be used by a attacker to learn about the user's previous actions on the other website. The information from this attack can uniquely identify the user to the attacker.

Cross-site leaks comprise a highly varied range of attacks for which there is no established, uniform classification. However, multiple sources typically categorized these attacks by the leaking techniques used during an attack. , researchers have identified over 38 leak techniques that target components of the browser. New techniques are typically discovered due to changes in web platform APIs, which are JavaScript interfaces that allow websites to query the browser for specific information. Although the majority of these techniques involve directly detecting state changes in the victim web app, some attacks also exploit alterations in shared components within the browser to indirectly glean information about the victim web app.

Headers

 * Subresource integrity errors
 * Download detection using the Performance API
 * Cross-origin Resource Policy header detection using the Performance API
 * Detecting the Cross Origin Opener Policy header
 * Detecting the X-Frame-Options header using the object tag
 * Detecting the X-Frame-Options header using the Performance API
 * Detecting CSP directives
 * Detecting Cross-Origin Resource Blocking behaviour