A request has been made for this article to be peer reviewed to receive a broader perspective on how it may be improved. Please make any edits you see fit to improve the quality of this article. |
Cross-site leaks is a former featured article candidate. Please view the links under Article milestones below to see why the nomination failed. For older candidates, please check the archive. | ||||||||||||||||||||||||||||
Cross-site leaks has been listed as one of the Engineering and technology good articles under the good article criteria. If you can improve it further, please do so. If it no longer meets these criteria, you can reassess it. | ||||||||||||||||||||||||||||
|
This article is rated GA-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||||||||||||||||||||||||
|
The result was: promoted by
PrimalMustelid
talk 01:51, 6 November 2023 (UTC)
5x expanded by Sohom Datta ( talk). Self-nominated at 07:39, 2 October 2023 (UTC). Post-promotion hook changes for this nom will be logged at Template talk:Did you know nominations/Cross-site leaks; consider watching this nomination, if it is successful, until the hook appears on the Main Page.
I can't help thinking given the hyphen usage in the sources that the article should really live at Cross-site leaks.
The article needs a good copy-edit before featuring on the main page - there are several spelling/grammatical errors (e.g. orgin/origin and users/user's) and inconsistencies (e.g. url and URL).
Hook fact does appear in the article and is cited, although not using the reference provided here (which as a Wiki page wouldn't count as a reliable source anyway), but the sources in the article are journals so that's fine
Sourcing meets the minimum one per paragraph, however, I don't see what makes appsecmonkey.com a reliable source - can you provide a better reference?
GA toolbox |
---|
Reviewing |
Reviewer: Equalwidth ( talk · contribs) 09:44, 6 November 2023 (UTC)
GA review (see here for what the criteria are, and here for what they are not) |
---|
|
Overall: |
· · · |
GA toolbox |
---|
Reviewing |
Reviewer: RoySmith ( talk · contribs) 23:05, 7 November 2023 (UTC)
@ Sohom Datta: Starting review now. Just for your information, I'm broadly familiar with web security, but not an expert in this particular topic. RoySmith (talk) 23:05, 7 November 2023 (UTC)
{ mode: 'no-cors' }
values must be included for the request to succeed. Similarly, the comments at the top of the JS code snippet demonstrate that the attacker needs to create a empty iframe before setting the load event handler. (A non-empty iframe might not fire a load event in certain browsers). Some of the URLs have been shortened so that it fits inside the sidebar as well as the performance.now() statements rearranged for the same reason.
Sohom (
talk) 09:21, 9 November 2023 (UTC)
async
) that fixes a syntactical issue with the code in the paper. Let me know if there are any other issues.
Sohom (
talk) 11:02, 11 November 2023 (UTC)
Apart from basic facts, significant information should not appear in the lead if it is not covered in the remainder of the article.Things I see in the lead that aren't mentioned anywhere in the article include "XS-Leaks", "browsing session", "side channel", "cache timing information"
first discovered by researchers at Purdue Universityit's hard to prove something was the first. The body says
as far back as 2000which is a better way to phrase this, since it allows that there may have been earlier papers.
two primary components: a web browser and multiple web servers."one or more web servers"?
via the HTTP protocol and socket connectionsthat's usually true, but doesn't have to be. I'd throw "typically" in there somewhere. You could say that the rest of this article assumes that's the case.
render a web applicationI'm not sure "render" is the right verb here. Deliver? Implement?
executing HTML, CSS or JavascriptYou certainly execute javascript. I'm not sure "execute" is the right verb for HTML or CSS, however.
transitions in between, just "transitions between", I think?
These states are often synced..., I'm not sure what this is trying to say, but "synced" doesn't seem like the right word.
To provide isolation and security ofmaybe, "To securely isolate"?
A specific web applicationdrop "specific"
cannot reach into a different web app's execution contextI think you mean "cannot reach into another execution context". If I've got two windows open on the same URL, it's the same web app, but different execution contexts.
arbitrarily gain informationthat's an odd phrase. Is "gain" the word that's used in the sources? If not, then maybe "learn" or "obtain", or even "infer" might be better?
This can lead to the attacker accessing sensitive information about a user's previous browsing habits."activity" instead of "habits"? And any information you get that you're not supposed to have is inherently "sensitive".
(I'm going to be on the road for most of the next week. I'll drop in on this as I have time and connectivity, but it may stretch out for the better part of the week)
relies on the attacker being able to ... under the adversary's control.I'm pretty sure you're using "attacker" and "adversary" as synonyms here, referring to the same actor. Normally in creative writing you want to use varied vocabulary to keep the prose interesting. In technical writing like this, I think you'll do better to stick to a fixed vocabulary, i.e. pick one of "attacker" or "adversary" (or whatever) and use that term consistently, in the style of Alice and Bob. The writing will sound a bit more stilted, but it'll be easier for a reader to follow.
by phishing the user to a web pagelink "phishing"
state-dependent URLsee WP:SEAOFBLUE
While every method of including a URL in a web page can be combined ...I think you mean "can in theory be combined"?
known for over 23 yearsthat will become stale next year. I'd just use the year, i.e. "have been known since 2000"
papers ... that describe attacks that leverage the HTTP cachewere these attacks theoretical, or actual attacks observed in the wild?
Bar Ilan University detail a attackdetailed (past tense)?
this approach was infeasible for any non-trivial website due to the nature of the web platform.you need to explain that.
are extensions to the HTTP protocol that focuses"focus"?
X-Frame-Options headermore SEAOFBLUE
One of the earliest and most well-known methods...if this was the earliest, maybe discuss it first?
major browser vendors such as the likes of Chrome, BraveI would drop the entire "major browser vendors such as the likes of" part.
the author is a subject-matter expert or the blog is used for uncontroversial self-descriptions.Luan's blog is cited in the paper Van Goethem et. al. to describe his exploit on the monorail bug tracker and the line this is immediately before talks about exactly that. The only real "thing" that this citation supports is the products in which he found the security issues in which falls under
uncontroversial self-descriptions. -- Sohom ( talk) 12:37, 11 November 2023 (UTC)
@ Rockstone35 I was the author of the revision where the wrong spelling of Defenses was used, and as discussed in the GA review above, I corrected that the spelling since most of the sources are in American English. I really don't understand why we need to bring WP:RETAIN into this. -- Sohom ( talk) 15:02, 14 November 2023 (UTC)
@ Baffle gab1978: Thanks for your efforts in copyediting this article! I just wanted to leave a quick note that "et al." is not normally abbreviated per MOS:MISCSHORT/ MOS:LATINABBR. — TechnoSquirrel69 ( sigh) 03:07, 6 February 2024 (UTC)
A request has been made for this article to be peer reviewed to receive a broader perspective on how it may be improved. Please make any edits you see fit to improve the quality of this article. |
Cross-site leaks is a former featured article candidate. Please view the links under Article milestones below to see why the nomination failed. For older candidates, please check the archive. | ||||||||||||||||||||||||||||
Cross-site leaks has been listed as one of the Engineering and technology good articles under the good article criteria. If you can improve it further, please do so. If it no longer meets these criteria, you can reassess it. | ||||||||||||||||||||||||||||
|
This article is rated GA-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||||||||||||||||||||||||
|
The result was: promoted by
PrimalMustelid
talk 01:51, 6 November 2023 (UTC)
5x expanded by Sohom Datta ( talk). Self-nominated at 07:39, 2 October 2023 (UTC). Post-promotion hook changes for this nom will be logged at Template talk:Did you know nominations/Cross-site leaks; consider watching this nomination, if it is successful, until the hook appears on the Main Page.
I can't help thinking given the hyphen usage in the sources that the article should really live at Cross-site leaks.
The article needs a good copy-edit before featuring on the main page - there are several spelling/grammatical errors (e.g. orgin/origin and users/user's) and inconsistencies (e.g. url and URL).
Hook fact does appear in the article and is cited, although not using the reference provided here (which as a Wiki page wouldn't count as a reliable source anyway), but the sources in the article are journals so that's fine
Sourcing meets the minimum one per paragraph, however, I don't see what makes appsecmonkey.com a reliable source - can you provide a better reference?
GA toolbox |
---|
Reviewing |
Reviewer: Equalwidth ( talk · contribs) 09:44, 6 November 2023 (UTC)
GA review (see here for what the criteria are, and here for what they are not) |
---|
|
Overall: |
· · · |
GA toolbox |
---|
Reviewing |
Reviewer: RoySmith ( talk · contribs) 23:05, 7 November 2023 (UTC)
@ Sohom Datta: Starting review now. Just for your information, I'm broadly familiar with web security, but not an expert in this particular topic. RoySmith (talk) 23:05, 7 November 2023 (UTC)
{ mode: 'no-cors' }
values must be included for the request to succeed. Similarly, the comments at the top of the JS code snippet demonstrate that the attacker needs to create a empty iframe before setting the load event handler. (A non-empty iframe might not fire a load event in certain browsers). Some of the URLs have been shortened so that it fits inside the sidebar as well as the performance.now() statements rearranged for the same reason.
Sohom (
talk) 09:21, 9 November 2023 (UTC)
async
) that fixes a syntactical issue with the code in the paper. Let me know if there are any other issues.
Sohom (
talk) 11:02, 11 November 2023 (UTC)
Apart from basic facts, significant information should not appear in the lead if it is not covered in the remainder of the article.Things I see in the lead that aren't mentioned anywhere in the article include "XS-Leaks", "browsing session", "side channel", "cache timing information"
first discovered by researchers at Purdue Universityit's hard to prove something was the first. The body says
as far back as 2000which is a better way to phrase this, since it allows that there may have been earlier papers.
two primary components: a web browser and multiple web servers."one or more web servers"?
via the HTTP protocol and socket connectionsthat's usually true, but doesn't have to be. I'd throw "typically" in there somewhere. You could say that the rest of this article assumes that's the case.
render a web applicationI'm not sure "render" is the right verb here. Deliver? Implement?
executing HTML, CSS or JavascriptYou certainly execute javascript. I'm not sure "execute" is the right verb for HTML or CSS, however.
transitions in between, just "transitions between", I think?
These states are often synced..., I'm not sure what this is trying to say, but "synced" doesn't seem like the right word.
To provide isolation and security ofmaybe, "To securely isolate"?
A specific web applicationdrop "specific"
cannot reach into a different web app's execution contextI think you mean "cannot reach into another execution context". If I've got two windows open on the same URL, it's the same web app, but different execution contexts.
arbitrarily gain informationthat's an odd phrase. Is "gain" the word that's used in the sources? If not, then maybe "learn" or "obtain", or even "infer" might be better?
This can lead to the attacker accessing sensitive information about a user's previous browsing habits."activity" instead of "habits"? And any information you get that you're not supposed to have is inherently "sensitive".
(I'm going to be on the road for most of the next week. I'll drop in on this as I have time and connectivity, but it may stretch out for the better part of the week)
relies on the attacker being able to ... under the adversary's control.I'm pretty sure you're using "attacker" and "adversary" as synonyms here, referring to the same actor. Normally in creative writing you want to use varied vocabulary to keep the prose interesting. In technical writing like this, I think you'll do better to stick to a fixed vocabulary, i.e. pick one of "attacker" or "adversary" (or whatever) and use that term consistently, in the style of Alice and Bob. The writing will sound a bit more stilted, but it'll be easier for a reader to follow.
by phishing the user to a web pagelink "phishing"
state-dependent URLsee WP:SEAOFBLUE
While every method of including a URL in a web page can be combined ...I think you mean "can in theory be combined"?
known for over 23 yearsthat will become stale next year. I'd just use the year, i.e. "have been known since 2000"
papers ... that describe attacks that leverage the HTTP cachewere these attacks theoretical, or actual attacks observed in the wild?
Bar Ilan University detail a attackdetailed (past tense)?
this approach was infeasible for any non-trivial website due to the nature of the web platform.you need to explain that.
are extensions to the HTTP protocol that focuses"focus"?
X-Frame-Options headermore SEAOFBLUE
One of the earliest and most well-known methods...if this was the earliest, maybe discuss it first?
major browser vendors such as the likes of Chrome, BraveI would drop the entire "major browser vendors such as the likes of" part.
the author is a subject-matter expert or the blog is used for uncontroversial self-descriptions.Luan's blog is cited in the paper Van Goethem et. al. to describe his exploit on the monorail bug tracker and the line this is immediately before talks about exactly that. The only real "thing" that this citation supports is the products in which he found the security issues in which falls under
uncontroversial self-descriptions. -- Sohom ( talk) 12:37, 11 November 2023 (UTC)
@ Rockstone35 I was the author of the revision where the wrong spelling of Defenses was used, and as discussed in the GA review above, I corrected that the spelling since most of the sources are in American English. I really don't understand why we need to bring WP:RETAIN into this. -- Sohom ( talk) 15:02, 14 November 2023 (UTC)
@ Baffle gab1978: Thanks for your efforts in copyediting this article! I just wanted to leave a quick note that "et al." is not normally abbreviated per MOS:MISCSHORT/ MOS:LATINABBR. — TechnoSquirrel69 ( sigh) 03:07, 6 February 2024 (UTC)