Apparently some websites (I don't know which ones) have this thing called session replay that logs your input keystroke by keystroke. Even if you don't actually send what you typed, it's still logged. This log is then sent on to what are called "pre-authorised third parties". Any information on what that means is welcome.

The information collected could even include passwords.

Someone called Steven Engelhardt at Princeton did this study. I couldn't find it online, but I found a general site on the project https://webtransparency.cs.princeton.edu

Have a read of this

That report is useful but the problem is widely known in a more general context. This specific logging being confirmed is somewhat new, at least for much of the general public. There was a lot of discussion once again last year around this time. One of the resulting demonstration sites is here:

https://clickclickclick.click/

However what is being reported by the team at Princeton is just the capabilities of javascript. The scary part is that given how trivially easy it is to MitM HTTPS connection, even 'trusted' sites should not be using javascript if they want their visitors to remains safe. Might or might not be a big deal from home but might be a big deal from a conference center, a hotel, or a cafe. VPNs help but that just moves the egress and thus the target.

You can see how many hundreds of objects some sites bring in. Many of those are external and many of those external objects are javascripts. To see them try going to your local municipal web site or your bank. Then try ctrl-shift-i in your browser. Choose Networking and then reload the page.

I'm sure that's the one!

One of my Clients got mentioned in https://www.wired.com/story/the-dark...y-move-online/