You can exfiltrate ETag data by making AJAX requests to/from different domains.
Visit this page from different domains. All of the fetched AJAX Etags should be the same.
EDIT: This seems to only be true within the same eTLD+1. Hmm...
Here are some places where this page is probably hosted:
Here are the ETags from fetching across different domains:
| Local ETag: | This should be replaced by the local ETag. Any minute now... |
| CR ETag: | This should be replaced by the ETag from the cr subdomain. Any minute now... |
| CR2 ETag: | This should be replaced by the ETag from the cr2 subdomain. Any minute now... |