Developer Tools does not show request headers when the server has implemented TLS token binding
Reported by
e...@gluejar.com,
Jan 13 2017
|
|||
Issue descriptionPRIVACY ISSUE In Developer Tools, Request Headers are not shown when the server has implemented TLS token binding. For example, when a webpage loads fonts from fonts.gstatic.com or style files from fonts.googleapis.com. This is a privacy issue because user tracking via token id (essentially the same as an id cookie that doesn't expire) is obscured. Developers who loads fonts from fonts.gstatic.com or style files from fonts.googleapis.com may not realize that use of these third party resources should trigger the EU ePrivacy Directive. VERSION: Chrome Version: Version 55.0.2883.95 (64-bit) Operating System: OS X 10.11.6 (15G1108) REPRODUCTION STEPS open developer tools network panel load http://library.princeton.edu/ look at request headers for a request to fonts.googleapis.com or fonts.gstatic.com
,
Oct 30
Thanks for the report. Based on [1], it looks like some recent patches have been removing Token binding from Chromium, so perhaps this report will soon be obsolete? jarhar@, could you please investigate? [1] https://bugs.chromium.org/p/chromium/issues/detail?id=467312#c29
,
Oct 30
Token Binding was permanently disabled in M70 (with code removal in M71), so this bug is obsolete. |
|||
►
Sign in to add a comment |
|||
Comment 1 by dullweber@google.com
, Oct 24