Summary: The window.name can persist after doing cross-origin navigation, which means it can leak information across origins and be used as a tracking vector.
To address this, we want to clear the window.name when doing cross-origin navigations. The window.name won't persist across origins, so cannot be used for tracking. We also want to implement the store/restore window.name in the session history when doing history loads. This has been defined in HTML Standard. Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=444222 Standard: * https://html.spec.whatwg.org/#history-traversal Platform coverage: All Preference: privacy.window.name.update.enabled Devtools bug: Nope. Other browsers: * Safari has shipped this. * Chrome doesn't implement this. web-platform-tests: We will add web-platform-tests for this. Secure contexts: This is not restricted to secure contexts. Is this feature enabled by default in sandboxed iframes?: Yes Best, Tim, _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
