Summary:
The
window.name can persist after doing cross-origin navigation, which
means it can leak information across origins and be used as a tracking
vector.
To address this, we want to clear the
window.name when doing cross-origin
navigations. The
window.name won't persist across origins, so cannot be
used for tracking.
We also want to implement the store/restore
window.name in the session
history when doing history loads. This has been defined in HTML Standard.
Bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=444222
Standard:
*
https://html.spec.whatwg.org/#history-traversal
Platform coverage: All
Preference: privacy.window.name.update.enabled
Devtools bug: Nope.
Other browsers:
* Safari has shipped this.
* Chrome doesn't implement this.
web-platform-tests:
We will add web-platform-tests for this.
Secure contexts:
This is not restricted to secure contexts.
Is this feature enabled by default in sandboxed iframes?: Yes
Best,
Tim,