2015-burnett-encore
findings extracted from this paper
-
Chrome's non-standard behavior of firing an onload event for any HTTP 200 OK response regardless of MIME type—combined with its enforcement of X-Content-Type-Options: nosniff—allows the script tag to probe reachability of arbitrary non-image URLs, a measurement capability unavailable in other browsers that attempt to execute fetched content as JavaScript and thus pose an XSS risk.
-
Over 60% of the 178 tested target domains host images ≤1 KB (fitting in a single TCP packet), enabling domain-level filtering detection via cross-origin image embedding for more than half of domains; however, Encore can measure fewer than 10% of individual URLs when limiting iframe page loads to 100 KB, confirming that detecting per-URL filtering is an order of magnitude harder than domain-level detection.
-
Applying a regional binomial hypothesis test (p=0.7, significance 0.05) to Encore measurements independently confirmed censorship of youtube.com in Pakistan, Iran, and China, and of twitter.com and facebook.com in China and Iran, validating passive cross-origin measurement against prior independent reports of filtering.
-
In 8,573 controlled testbed measurements across image, stylesheet, and script task types, Encore produced zero false negatives and a ~5% false positive rate in India (attributed to unreliable network connectivity rather than filtering), establishing that cross-origin browser probes reliably detect DNS, IP, and HTTP filtering under stable network conditions but require aggregation to control noise.
-
Encore collected 141,626 measurements from 88,260 distinct IPs in 170 countries over seven months (May 2014–January 2015) using as few as 17 volunteer webmaster deployments, demonstrating that passive cross-origin measurement can achieve broader geographic vantage-point coverage than custom-software deployments without recruiting individual end-users.