Re: Intent to ship: Update browsing context name on cross site navigation or history traversal
On Fri, Sep 11, 2020 at 10:55 PM Shuran Huang wrote: > Thanks for the pointer. I did not realize it's about the cross-origin > navigation that not switch BrowsingInstance. Just to confirm, is the case for > top-level navigation only or not? Cross-origin navigations of top-level browsing contexts whose opener browsing context is either null or disowned. (It might be that null and disowned can be merged, but currently they are not specification-wise.) ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to ship: Update browsing context name on cross site navigation or history traversal
On Friday, September 11, 2020 at 11:26:59 AM UTC-4, Anne van Kesteren wrote: > On Fri, Sep 11, 2020 at 5:00 PM Shuran Huang wrote: > > FYI, here is the tracking bug for this issue in Chrome: crbug.com/1090128. > > Hey Shuran, > > I think the bug you're looking for is > https://bugs.chromium.org/p/chromium/issues/detail?id=706350. In > particular this intent to ship is about resetting window.name when the > browsing context group (aka BrowsingInstance in Chrome) is not > replaced. > > Kind regards, > > Anne Hi Anne, Thanks for the pointer. I did not realize it's about the cross-origin navigation that not switch BrowsingInstance. Just to confirm, is the case for top-level navigation only or not? Thanks, Shuran ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to ship: Update browsing context name on cross site navigation or history traversal
On Fri, Sep 11, 2020 at 5:00 PM Shuran Huang wrote: > FYI, here is the tracking bug for this issue in Chrome: crbug.com/1090128. Hey Shuran, I think the bug you're looking for is https://bugs.chromium.org/p/chromium/issues/detail?id=706350. In particular this intent to ship is about resetting window.name when the browsing context group (aka BrowsingInstance in Chrome) is not replaced. Kind regards, Anne ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to ship: Update browsing context name on cross site navigation or history traversal
On Thursday, September 10, 2020 at 8:47:37 AM UTC-4, Tim Huang wrote: > Summary: > > The window.name can persist after doing cross-origin navigation, which > means it can leak information across origins and be used as a tracking > vector. > > To address this, we want to clear the window.name when doing cross-origin > navigations. The window.name won't persist across origins, so cannot be > used for tracking. > > We also want to implement the store/restore window.name in the session > history when doing history loads. This has been defined in HTML Standard. > > Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=444222 > > Standard: > * https://html.spec.whatwg.org/#history-traversal > > Platform coverage: All > > Preference: privacy.window.name.update.enabled > > Devtools bug: Nope. > > Other browsers: > * Safari has shipped this. > * Chrome doesn't implement this. > > web-platform-tests: > We will add web-platform-tests for this. > > Secure contexts: > This is not restricted to secure contexts. > > Is this feature enabled by default in sandboxed iframes?: Yes > > Best, > Tim, Hi Tim, FYI, here is the tracking bug for this issue in Chrome: crbug.com/1090128. Thanks, Shuran ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Intent to ship: Update browsing context name on cross site navigation or history traversal
Summary: The window.name can persist after doing cross-origin navigation, which means it can leak information across origins and be used as a tracking vector. To address this, we want to clear the window.name when doing cross-origin navigations. The window.name won't persist across origins, so cannot be used for tracking. We also want to implement the store/restore window.name in the session history when doing history loads. This has been defined in HTML Standard. Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=444222 Standard: * https://html.spec.whatwg.org/#history-traversal Platform coverage: All Preference: privacy.window.name.update.enabled Devtools bug: Nope. Other browsers: * Safari has shipped this. * Chrome doesn't implement this. web-platform-tests: We will add web-platform-tests for this. Secure contexts: This is not restricted to secure contexts. Is this feature enabled by default in sandboxed iframes?: Yes Best, Tim, ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform