No, he's right.
Here's the attack:
1. Find a page that:
1.1. Dynamically loads additional content based on when it scrolls into view. Many sites do this with images, for example. (Yes, it's extremely annoying; but it's common.)
1.2. Has some target content that you want to test for far enough down the page that it won't scroll into view immediately.
2. Put a link to the page with an STTF fragment referring to the target content on a shared site (the "health portal" in this example).
3. Victim is interested in the target content, so clicks on the link.
4. DNS traffic indicates a request to resolve the dynamically-loaded content from the target area of the page from the victim's system.
STTF can activate side channels, such as load-on-scroll content.
Biting the hand that feeds IT
