Open Bug 1556816 Opened 1 year ago Updated 5 days ago

Synchronous cross-frame DOM access (e.g. leaked through window.opener) breaks dynamic FPI


(Core :: Privacy: Anti-Tracking, defect, P3)





(Reporter: ehsan, Unassigned)


(Blocks 1 open bug)


Here is the attack scenario.

  • https://tracker.example/shady.js is a tracking script not on the Disconnect TP list which is widely deployed across the web.
  • shady.js does something like below:
  let userId = localStorage['myUserId'];
  if (top.opener) {
    for (let win of top.opener.frames) {
      try {
        win.contentWindow.localStorage['otherUseId'] = userId;
      } catch (e) { continue; }
  • This script is opportunistically snooping the opener's frame list, and if it finds a same-origin iframe, it'll leak the unique user ID from within the current frame into the iframe that was served from https://tracker.example, breaking the dynamic FPI partition boundary.
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.