Allow opt out of only text fragment scrolling

[zcorpan]

In #131 an opt out of scrolling caused by text fragment URL or fragment URL was added to address information leaks #76 and #79

I think sites may want to opt out of text fragment scrolling but not regular URL fragment scrolling. The privacy issue is only for text fragments as far as I can tell.

Maybe something like Document-Policy: disable-text-fragment-scrolling

[bokand]

The privacy issue is only for text fragments as far as I can tell.

The existence of certain element-ids is also potentially sensitive information so I wouldn't say it's only for text fragments. That said, I agree that the raw text is meaningfully different and (unlike element ids) cannot be mitigated by authors who understand the issue.

Maybe something like Document-Policy: disable-text-fragment-scrolling

My initial hesitation to adding something like this was that a knee-jerk reaction would lead to this being blindly cargo-culted around the web, hurting usability. I think that's less of a risk at this point so this seems ok to me.

[zcorpan]

The existence of certain element-ids is also potentially sensitive information

Yes, but the behavior has existed since day 1 on the web so it should be well understood.

I think that's less of a risk at this point so this seems ok to me.

👍

[annevk]

How many web developers are asking for this distinction? I'd rather not offer this unless the existing mitigation is too prohibitive.

[zcorpan]

No data on that, this came up from internal discussion at Mozilla.