On Thursday, September 10, 2020 at 8:47:37 AM UTC-4, Tim Huang wrote: > Summary: > > The window.name can persist after doing cross-origin navigation, which > means it can leak information across origins and be used as a tracking > vector. > > To address this, we want to clear the window.name when doing cross-origin > navigations. The window.name won't persist across origins, so cannot be > used for tracking. > > We also want to implement the store/restore window.name in the session > history when doing history loads. This has been defined in HTML Standard. > > Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=444222 > > Standard: > * https://html.spec.whatwg.org/#history-traversal > > Platform coverage: All > > Preference: privacy.window.name.update.enabled > > Devtools bug: Nope. > > Other browsers: > * Safari has shipped this. > * Chrome doesn't implement this. > > web-platform-tests: > We will add web-platform-tests for this. > > Secure contexts: > This is not restricted to secure contexts. > > Is this feature enabled by default in sandboxed iframes?: Yes > > Best, > Tim,
Hi Tim, FYI, here is the tracking bug for this issue in Chrome: crbug.com/1090128. Thanks, Shuran _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
