210776 2020-04-20 17:48:29 -0700 sessionStorage is not isolated by site 2022-08-29 05:33:51 -0700 1 1 1 Unclassified WebKit New Bugs Safari Technology Preview Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=244492 InRadar P2 Normal --- 1 senglehardt m_finkel bfulgham rackler sihui_liu webkit-bug-importer wilander oldest_to_newest 1643710 0 senglehardt 2020-04-20 17:48:29 -0700 window.sessionStorage is not isolated by the top-level site, and thus is a cross-site tracking vector. Example: 1. A user visits example.com which embeds tracker.example 2. tracker.example checks window.sessionStorage. If empty it reads an ID from persistent, site-isolated storage (e.g., localStorage) and writes it to sessionStorage. 3. The user visits news.example, which also embeds tracker.example. 4. tracker.example checks window.sessionStorage, sees the unique ID, and writes it out to persistent site-isolated storage under news.example. 5. Repeat as the user browsers the web. 1644545 1 webkit-bug-importer 2020-04-22 15:34:19 -0700 <rdar://problem/62215013> 1840890 2 bfulgham 2022-02-12 21:03:22 -0800 This is actually: <rdar://57674840> 1880882 3 m_finkel 2022-07-05 20:35:55 -0700 Pull request: https://github.com/webkit/WebKit/pull/2109 1881851 4 460774 sihui_liu 2022-07-08 19:45:21 -0700 Created attachment 460774 test.html 1881885 5 sihui_liu 2022-07-09 10:24:22 -0700 (In reply to Sihui Liu from comment #4) > Created attachment 460774 [details] > test.html (you can use run-webkit-httpd in Tools/Scripts to launch http server and open the test in MiniBrowser) 1893634 6 ews-feeder 2022-08-24 18:50:43 -0700 Committed 253762@main (d5739b8e0974): <https://commits.webkit.org/253762@main> Reviewed commits have been landed. Closing PR #2109 and removing active labels. 1893771 7 rackler 2022-08-25 12:03:26 -0700 I have marked this test as a flaky failure while this issue is investigated. 460774 2022-07-08 19:45:21 -0700 2022-07-08 19:45:21 -0700 test.html test.html text/html 1101 sihui_liu PGh0bWw+Cjxib2R5Pgo8c2VjdGlvbj4KVGVzdCBzdGVwcwo8b2w+CiAgPGxpPkxvYWQgaHR0cDov LzEyNy4wLjAuMTo4MDAwL3Rlc3QuaHRtbDwvbGk+CiAgPGxpPkNsaWNrICJTZXQgaXRlbSI8L2xp PgogIDxsaT5DbGljayAiR2V0IGl0ZW0iIGFuZCB2ZXJpZnkgaXRlbSBpcyB0aGVyZTwvbGk+CiAg PGxpPkNsaWNrICJPcGVuIGxvY2FsaG9zdCI8L2xpPgogIDxsaT5DbGljayAiR28gYmFjayI8L2xp PgogIDxsaT5DbGljayAiR2V0IGl0ZW0iIGFuZCB2ZXJpZnkgaXRlbSBpcyB0aGVyZTwvbGk+Cjwv b2w+IAo8L3NlY3Rpb24+CjxidXR0b24gaWQ9Im9wZW5sb2NhbGhvc3QiIG9uY2xpY2s9Im9wZW5M b2NhbGhvc3QoKSI+T3BlbiBsb2NhbGhvc3Q8L2J1dHRvbj4KPGJ1dHRvbiBvbmNsaWNrPSJzZXRJ dGVtKCkiPlNldCBpdGVtPC9idXR0b24+CjxidXR0b24gb25jbGljaz0iZ2V0SXRlbSgpIj5HZXQg aXRlbTwvYnV0dG9uPgo8YnV0dG9uIG9uY2xpY2s9ImJhY2soKSI+R28gYmFjazwvYnV0dG9uPgo8 cCBpZD0iY29uc29sZSI+PC9wPgo8c2NyaXB0Pgp2YXIgZ2xvYmFsU3RvcmFnZSA9IHdpbmRvdy5z ZXNzaW9uU3RvcmFnZTsKCmZ1bmN0aW9uIGxvZyh0ZXh0KQp7CiAgICBsb2dnaW5ncyA9IGRvY3Vt ZW50LmdldEVsZW1lbnRCeUlkKCJjb25zb2xlIikKICAgIG5vZGUgPSBkb2N1bWVudC5jcmVhdGVU ZXh0Tm9kZSh0ZXh0KTsKICAgIGxvZ2dpbmdzLmFwcGVuZENoaWxkKG5vZGUpOwogICAgbG9nZ2lu Z3MuYXBwZW5kQ2hpbGQoZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiYnIiKSk7Cn0KCmZ1bmN0aW9u IGdldEl0ZW0oKQp7CiAgICBsb2coIkdvdCAiICsgZ2xvYmFsU3RvcmFnZS5nZXRJdGVtKCdrZXkn KSArICJcbiIpOwp9CgpmdW5jdGlvbiBzZXRJdGVtKCkKewogICAgaXRlbSA9IGdsb2JhbFN0b3Jh Z2Uuc2V0SXRlbSgna2V5JywgJ3ZhbHVlJyk7Cn0KCmZ1bmN0aW9uIG9wZW5Mb2NhbGhvc3QoKQp7 CiAgICB3aW5kb3cub3BlbigiaHR0cDovL2xvY2FsaG9zdDo4MDAwL3Rlc3QuaHRtbCIsICJfc2Vs ZiIpOwp9CgpmdW5jdGlvbiBiYWNrKCkKewogICAgaGlzdG9yeS5iYWNrKCk7Cn0KCjwvc2NyaXB0 Pgo8L2JvZHk+CjwvaHRtbD4K