[city41]

You can still hide the data in "folders". /foo/bar/baz/buz can be totally dynamic on the server.

[ericfrederich]

How about after load, that tab automatically goes completely offline. Users can manually do this in Chrome on a tab by tab basis by using developer console and setting Throttling to "Offline"

[city41]

That sounds more promising. The site might be able to store data and then send it the next time the page is loaded. I think at the end of the day, a malicious dev could probably find a workaround to most implementations. Might just be better to vet out sites and use reputation to state they are truly offline.

[ericfrederich]

I hear what you're saying, but I also believe this to be a solvable problem

[richthegeek]

Note that the "offline" mode in devtools doesn't kill any websocket connections. It may have other holes i'm not aware of also.

[codethief]

Or in the subdomain, using "DNS exfiltration": https://twitter.com/rsobers/status/1293539543115862016

[city41]

That's an interesting exploit, thanks for sharing.