Bug 210776 - sessionStorage is not isolated by site
Summary: sessionStorage is not isolated by site
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Matthew Finkel
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-04-20 17:48 PDT by Steven Englehardt
Modified: 2022-08-29 05:33 PDT (History)
5 users (show)

See Also:

Attachments
test.html (1.08 KB, text/html)
2022-07-08 19:45 PDT, Sihui Liu 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Steven Englehardt 2020-04-20 17:48:29 PDT 
window.sessionStorage is not isolated by the top-level site, and thus is a cross-site tracking vector.

Example:
1. A user visits example.com which embeds tracker.example
2. tracker.example checks window.sessionStorage. If empty it reads an ID from persistent, site-isolated storage (e.g., localStorage) and writes it to sessionStorage.
3. The user visits news.example, which also embeds tracker.example.
4. tracker.example checks window.sessionStorage, sees the unique ID, and writes it out to persistent site-isolated storage under news.example.
5. Repeat as the user browsers the web.
Comment 1 Radar WebKit Bug Importer 2020-04-22 15:34:19 PDT 
<rdar://problem/62215013>
Comment 2 Brent Fulgham 2022-02-12 21:03:22 PST 
This is actually:
<rdar://57674840>
Comment 3 Matthew Finkel 2022-07-05 20:35:55 PDT 
Pull request: https://github.com/webkit/WebKit/pull/2109
Comment 4 Sihui Liu 2022-07-08 19:45:21 PDT 
Created attachment 460774 [details]
test.html
Comment 5 Sihui Liu 2022-07-09 10:24:22 PDT 
(In reply to Sihui Liu from comment #4)
> Created attachment 460774 [details]
> test.html

(you can use run-webkit-httpd in Tools/Scripts to launch http server and open the test in MiniBrowser)
Comment 6 EWS 2022-08-24 18:50:43 PDT 
Committed 253762@main (d5739b8e0974): <https://commits.webkit.org/253762@main>

Reviewed commits have been landed. Closing PR #2109 and removing active labels.
Comment 7 Karl Rackler 2022-08-25 12:03:26 PDT 
I have marked this test as a flaky failure while this issue is investigated.