Closed (moved)
The `languagechange` event is noticeable on all open tabs
It turns out that there is the languagechange
event which is noticeable on all open tabs allowing to correlate activity of a user cross-domain and bypassing our unlinkability requirement.
Now, triggering that one can't be done remotely and is probably not done very often. But still we should find a way to make it much less obvious to third party scripts that a particular user made language related changes and has been on website A, B, and C.
Reported on HackerOne by tomvg.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information