None
https://html.spec.whatwg.org/multipage/browsing-the-web.html#resetBCName
The value of the window.name property is currently preserved throughout the lifetime of a tab, even with navigation that switches browsing context groups, such as when a user initiates a navigation from the URL bar or some cross-site navigation by clicking on a hyperlink on the current page. This can leak information and potentially be used as a tracking vector.
To address this, we want to clear the window.name when the navigation is cross-site and switches browsing context groups, which aligns with the requirement by the spec. The implementation is behind a flag. This should be a low risk change since looking up a browsing context by name (https://html.spec.whatwg.org/multipage/browsers.html#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name) does not work where the documents’ origins are different and in different browsing context groups, so the name isn't actually useful. User counter is at around 0.006%: https://www.chromestatus.com/metrics/feature/timeline/popularity/3353
There are two other related changes that are required by spec but not covered in this intent, and are addressed by separate bugs:
Restoring browsing context names on navigation (as defined in https://html.spec.whatwg.org/multipage/browsing-the-web.html#history-traversal): https://crbug.com/1141017
Clearing window.name for cross-site navigations when the browsing context group is not replaced: https://crbug.com/706350.
None
Not applicable
This change will affect where window.name is used for cross-domain communication, but we already have window.postMessage() as the recommended mechanism for the purpose. Other browsers are mitigating this usage as well.
Firefox: Shipped
Safari: Shipped
Web developers: No signals
https://www.chromestatus.com/feature/5962406356320256
Contact emails
Explainer
None
Specification
https://html.spec.whatwg.org/multipage/browsing-the-web.html#resetBCName
Summary
The value of the window.name property is currently preserved throughout the lifetime of a tab, even with navigation that switches browsing context groups, such as when a user initiates a navigation from the URL bar or some cross-site navigation by clicking on a hyperlink on the current page. This can leak information and potentially be used as a tracking vector.
To address this, we want to clear the window.name when the navigation is cross-site and switches browsing context groups, which aligns with the requirement by the spec. The implementation is behind a flag. This should be a low risk change since looking up a browsing context by name (https://html.spec.whatwg.org/multipage/browsers.html#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name) does not work where the documents’ origins are different and in different browsing context groups, so the name isn't actually useful. User counter is at around 0.006%: https://www.chromestatus.com/metrics/feature/timeline/popularity/3353
There are two other related changes that are required by spec but not covered in this intent, and are addressed by separate bugs:
Restoring browsing context names on navigation (as defined in https://html.spec.whatwg.org/multipage/browsing-the-web.html#history-traversal): https://crbug.com/1141017
Clearing window.name for cross-site navigations when the browsing context group is not replaced: https://crbug.com/706350.
Blink component
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
This change will affect where window.name is used for cross-domain communication, but we already have window.postMessage() as the recommended mechanism for the purpose. Other browsers are mitigating this usage as well.
Firefox: Shipped
This seems like a privacy-positive change, so thanks for working on this!On Wednesday, March 31, 2021 at 10:36:11 PM UTC+2 Shuran Huang wrote:Contact emails
Explainer
None
Specification
https://html.spec.whatwg.org/multipage/browsing-the-web.html#resetBCName
Summary
The value of the window.name property is currently preserved throughout the lifetime of a tab, even with navigation that switches browsing context groups, such as when a user initiates a navigation from the URL bar or some cross-site navigation by clicking on a hyperlink on the current page. This can leak information and potentially be used as a tracking vector.
To address this, we want to clear the window.name when the navigation is cross-site and switches browsing context groups, which aligns with the requirement by the spec. The implementation is behind a flag. This should be a low risk change since looking up a browsing context by name (https://html.spec.whatwg.org/multipage/browsers.html#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name) does not work where the documents’ origins are different and in different browsing context groups, so the name isn't actually useful. User counter is at around 0.006%: https://www.chromestatus.com/metrics/feature/timeline/popularity/3353
Hmm, did you mean 0.6%?Usage seems rather high for such an esoteric bit of functionality. Did you do some more digging as to how this is being used and by whom?
There are two other related changes that are required by spec but not covered in this intent, and are addressed by separate bugs:
Restoring browsing context names on navigation (as defined in https://html.spec.whatwg.org/multipage/browsing-the-web.html#history-traversal): https://crbug.com/1141017
Clearing window.name for cross-site navigations when the browsing context group is not replaced: https://crbug.com/706350.
Blink component
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
This change will affect where window.name is used for cross-domain communication, but we already have window.postMessage() as the recommended mechanism for the purpose. Other browsers are mitigating this usage as well.
Firefox: Shipped
Seems like they've hit some compatibility issues related to WebDriver: https://bugzilla.mozilla.org/show_bug.cgi?id=1685089#c8Have we looked into that? Would we suffer from similar issues?
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJ3-5L2c9wXMJ841984sZRHQMOaafX9NbJo6JKSdaO4a2Yg2pw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DdgafDyF-Btpx0KCwUAh3RQaz3hjT9aX7K9kUYygENJ9g%40mail.gmail.com.
Based on the UKM collected from beta M91, this feature is triggered the most on https://www.google.com, way higher than other origins.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJ3-5L2c9wXMJ841984sZRHQMOaafX9NbJo6JKSdaO4a2Yg2pw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/55bcc3c0-3fb3-4bc4-a728-9d4270797414n%40chromium.org.