Re: Intent to ship: Update browsing context name on cross site navigation or history traversal

2020-09-14 Thread Anne van Kesteren
On Fri, Sep 11, 2020 at 10:55 PM Shuran Huang  wrote:
> Thanks for the pointer. I did not realize it's about the cross-origin 
> navigation that not switch BrowsingInstance. Just to confirm, is the case for 
> top-level navigation only or not?

Cross-origin navigations of top-level browsing contexts whose opener
browsing context is either null or disowned. (It might be that null
and disowned can be merged, but currently they are not
specification-wise.)
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform


Re: Intent to ship: Update browsing context name on cross site navigation or history traversal

2020-09-11 Thread Shuran Huang
On Friday, September 11, 2020 at 11:26:59 AM UTC-4, Anne van Kesteren wrote:
> On Fri, Sep 11, 2020 at 5:00 PM Shuran Huang  wrote:
> > FYI, here is the tracking bug for this issue in Chrome: crbug.com/1090128.
> 
> Hey Shuran,
> 
> I think the bug you're looking for is
> https://bugs.chromium.org/p/chromium/issues/detail?id=706350. In
> particular this intent to ship is about resetting window.name when the
> browsing context group (aka BrowsingInstance in Chrome) is not
> replaced.
> 
> Kind regards,
> 
> Anne

Hi Anne,

Thanks for the pointer. I did not realize it's about the cross-origin 
navigation that not switch BrowsingInstance. Just to confirm, is the case for 
top-level navigation only or not?

Thanks,
Shuran
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform


Re: Intent to ship: Update browsing context name on cross site navigation or history traversal

2020-09-11 Thread Anne van Kesteren
On Fri, Sep 11, 2020 at 5:00 PM Shuran Huang  wrote:
> FYI, here is the tracking bug for this issue in Chrome: crbug.com/1090128.

Hey Shuran,

I think the bug you're looking for is
https://bugs.chromium.org/p/chromium/issues/detail?id=706350. In
particular this intent to ship is about resetting window.name when the
browsing context group (aka BrowsingInstance in Chrome) is not
replaced.

Kind regards,

Anne
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform


Re: Intent to ship: Update browsing context name on cross site navigation or history traversal

2020-09-11 Thread Shuran Huang
On Thursday, September 10, 2020 at 8:47:37 AM UTC-4, Tim Huang wrote:
> Summary:
> 
> The window.name can persist after doing cross-origin navigation, which
> means it can leak information across origins and be used as a tracking
> vector.
> 
> To address this, we want to clear the window.name when doing cross-origin
> navigations. The window.name won't persist across origins, so cannot be
> used for tracking.
> 
> We also want to implement the store/restore window.name in the session
> history when doing history loads. This has been defined in HTML Standard.
> 
> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=444222
> 
> Standard:
>   * https://html.spec.whatwg.org/#history-traversal
> 
> Platform coverage: All
> 
> Preference: privacy.window.name.update.enabled
> 
> Devtools bug: Nope.
> 
> Other browsers:
>   * Safari has shipped this.
>   * Chrome doesn't implement this.
> 
> web-platform-tests:
> We will add web-platform-tests for this.
> 
> Secure contexts:
> This is not restricted to secure contexts.
> 
> Is this feature enabled by default in sandboxed iframes?: Yes
> 
> Best,
> Tim,

Hi Tim, 

FYI, here is the tracking bug for this issue in Chrome: crbug.com/1090128.

Thanks,
Shuran
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform


Intent to ship: Update browsing context name on cross site navigation or history traversal

2020-09-10 Thread Tim Huang
Summary:

The window.name can persist after doing cross-origin navigation, which
means it can leak information across origins and be used as a tracking
vector.

To address this, we want to clear the window.name when doing cross-origin
navigations. The window.name won't persist across origins, so cannot be
used for tracking.

We also want to implement the store/restore window.name in the session
history when doing history loads. This has been defined in HTML Standard.

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=444222

Standard:
  * https://html.spec.whatwg.org/#history-traversal

Platform coverage: All

Preference: privacy.window.name.update.enabled

Devtools bug: Nope.

Other browsers:
  * Safari has shipped this.
  * Chrome doesn't implement this.

web-platform-tests:
We will add web-platform-tests for this.

Secure contexts:
This is not restricted to secure contexts.

Is this feature enabled by default in sandboxed iframes?: Yes

Best,
Tim,
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform