You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Nov 12, 2025. It is now read-only.
It is not clear to me what happens when an offending website forces the user's browser to follow a chain of redirects.
According to the documentation, "Redirects will be followed, and the topics sent in the redirect request will be specific to the redirect URL."
Can this potentially lead to an attack in which the browser follows a chain of redirects, each one letting the controlling webmaster obtain one (three) possible topics via the document.browsingTopics()?
For instance: (visit to mysite1.com -> get 3 topics) + (redirect to mysite2.com -> get 3 topics) + (redirect to mysite3.com -> get 3 topics) + ...
With this attack, assuming the three websites are owned by the same (or colluding) organization(s), who controls mysite{X}.com gets up to 3|X| topics in a short time.
Are there any mechanisms in place to prevent this?
Moreover, which is the definition of a website within the Topics API?
Are two subdomains of the same domain considered different websites?
For example, one.example.org and two.example.org are the same or different websites?
It is not clear to me what happens when an offending website forces the user's browser to follow a chain of redirects.
According to the documentation, "Redirects will be followed, and the topics sent in the redirect request will be specific to the redirect URL."
Can this potentially lead to an attack in which the browser follows a chain of redirects, each one letting the controlling webmaster obtain one (three) possible topics via the
document.browsingTopics()?For instance:
(visit to mysite1.com -> get 3 topics) + (redirect to mysite2.com -> get 3 topics) + (redirect to mysite3.com -> get 3 topics) + ...With this attack, assuming the three websites are owned by the same (or colluding) organization(s), who controls mysite{X}.com gets up to 3|X| topics in a short time.
Are there any mechanisms in place to prevent this?
Moreover, which is the definition of a website within the Topics API?
Are two subdomains of the same domain considered different websites?
For example, one.example.org and two.example.org are the same or different websites?