Comment Blocking JavaScript does not defeat ETAGs (Score 3, Informative) 173
JavaScript is not needed at all: an etag header can be used to track you across different sites by including say a
Example:
- run your favorite HTTP proxy debugger (FiddlerTool if using Windows)
- Run Chrome or Firefox
- Clear the cache
- Disable javascript completely
- Browse to http://meta.wikimedia.org/images/wikimedia-button.png
- Close and restart the browser
- Browse to http://meta.wikimedia.org/images/wikimedia-button.png
In the first request, the response header has ETag: "97a-494505e0c46c0"
In the second request, the request header has If-None-Match: "97a-494505e0c46c0" - this acts like a cookie.
If the "tracking" server receives a request with no If-None-Match: header, it replies with the file and sets the ETag to a unique value (exactly equivalent to the "cookie" value). If the server receives a request with the If-None-Match:, the value can be used to track the user... for example the server takes the If-None-Match: value, and returns back the image with the same etag value, and *also* set a cookie with that value in the response header!