Intent to implement: Clear browsing context name on cross site navigation or history traversal

69 views
Skip to first unread message

Andy Paicu

unread,
Mar 29, 2017, 7:25:06 AM3/29/17
to blin...@chromium.org

Contact emails

andy...@gmail.com


Spec

https://html.spec.whatwg.org/multipage/browsers.html#resetBCName


Summary

This is a port of this change: https://trac.webkit.org/changeset/209076/webkit from safari. To summarize:


When updating the history after a cross-origin navigation, the HTML Standard says:

"If the browsing context is a top-level browsing context, but not an auxiliary browsing

context, then set the browsing context's name to the empty string."


Currently we are not doing this which means there's potential information leak.


We don't really have any user data to know how used this is and how it will impact users

so for now the implementation will be behind a flag and we will set up metrics to get the necessary data to make a decision.


Motivation

It implements the HTML Standard and fixes a potential information leak.


Interoperability and Compatibility Risk


Edge: No signals

Firefox: No signals

Safari: Shipped

Web developers: No signals


Ongoing technical constraints

None


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes


OWP launch tracking bug

Add crbug.com/706350


Link to entry on the feature dashboard

https://www.chromestatus.com/feature/5929195548966912


Requesting approval to ship?
No
Reply all
Reply to author
Forward
0 new messages