Google Chrome updates occur so often that most people don’t even pay attention to the latest changes. However, Chrome 80 has pushed out a new browser capability that has captured the attention of other developers, privacy experts, and everyday Chrome users. This new feature is called ScrollToTextFragment, and it could allow unauthorized users to link a specific piece of text within a document without needing to access the anchor, which is created by the website owners. To make sure your site stays safe, here’s what you need to know about the ScrollToTextFragment capability.
Example of the ScrollToTextFragment
Google explains the new feature of their browser in a recent update, stating, “This feature allows a user or author to link to a specific portion of a page, using a text snippet provided in the URL. When the page is loaded, the browser highlights the text and scrolls it into view.”
Google provides the following example of a Wikipedia page to further clarify their point:
For example, the following URL will load the page for “Cat,” highlight the specified text, and scroll right to that section:
- [https://en.wikipedia.org/wiki/Cat#]
With the ScrollToTextFragment, pages that have specific headers and section titles can be linked directly to certain elements to make it easier for users to find certain details. The extra element is added in the “URL hash,” such as:
- [https://en.wikipedia.org/wiki/Cat#Senses]
When “#Senses” is added to the Wikipedia URL for cats, the link will bring the user directly to the section of the text related to the senses. Before the ScrollToTextFragment was implemented, the URL hash relied on author annotations. Now, the link-creator can pick and choose which sections of the page are most interesting without requiring the author’s input.
Potential Issues and Privacy Concerns
The ScrollToTextFragment feature can certainly be useful for savvy Chrome users, but privacy researcher Peter Snyder voices some of his concerns in a statement he gave to Forbes: “Consider a situation where I can view DNS traffic (e.g. company network), and I send a link to the company health portal, with [the anchor] #:~:text=cancer. On certain page layouts, I might be able [to] tell if the employee has cancer by looking for lower-on-the-page resources being requested.”
Synder has further emphasized his worries in a series of tweets, one of which says, “Imposing privacy and security leaks to existing sites (many of which will never be updated) REALLY should be a “don’t break the web”, never cross, redline. This spec does that.”
However, Synder isn’t the only one who’s seeing red flags with Chrome 80. David Baron, Mozilla’s principal engineer, writes, “My high-level opinion here is that this [is] a really valuable feature, but it might also be one where all of the possible solutions have major issues/problems.”
Currently, there is no way for users to opt-in or opt out of the new feature, but Chromium engineer David Bokan says there might be an opt-out option added in the future. For now, the best way for websites to retain privacy and protect against possible exploitation is to stay up-to-date with the latest security patches and carefully monitor their pages.