Google has implemented a new feature in version 80 of the company’s Chrome web browser called Scroll To Text Fragment designed as a global method to deep link to any part of a web document.
Unlike HTML’s anchor functionality, Scroll To Text Fragment links may be created by anyone to point to different parts of a document; this is done by specifying a text snippet in the URL. The text snippet has to be provided in the form #:~:text=, e.g. https://www.ghacks.net/#:~:text=firefox.
Use cases include search engines that may link to content on a page but also resource sites such as Wikipedia and users who want to share links that point to a specific part of a document (similarly how you may share video links on YouTube that point to a specific playtime).
The feature emerged from the W3C’s Web Platform Incubator Community Group which is heavily dominated by Google. Three of the four code reviews of the feature were conducted by Google employees.
Google has been criticized heavily for implementing the feature in Chrome by default. Mozilla employee David Baron posted this last December:
My high-level opinion here is that this a really valuable feature, but it might also be one where all of the possible solutions have major issues/problems.
Brave’s Peter Snyder put it more bluntly on Twitter:
Imposing privacy and security leaks to existing sites (many of which will never be updated) REALLY should be a “don’t break the web”, never cross, redline. This spec does that.
The feature could enable new privacy attacks according to Snyder who published an example of a potential issue on GitHub:
For example: Consider a situation where I can view DNS traffic (e.g. company network), and I send a link to the company health portal, with #:~:text=cancer. On certain page layouts, i might be able tell if the employee has cancer by looking for lower-on-the-page resources being requested.
Google has created a document and made it public in which it collected potential issues linked to the Scroll To Text Fragment feature. In it, Google highlights potential attack vectors and potential mitigations.
Closing Words
One of the main takeaways from the controversy is that Google acts from a position of power thanks to Chrome’s dominance on the web. Google will push features into Chrome that it considers worthwhile (for whatever reason) even if there is strong opposition.
