Earlier this week, a bug was discovered in Safari that allowed certain pages to access recent browsing information. An error in which Apple is already working and has already offered a solution which we should see sooner rather than later.
A bug that affects about 3% of the most visited domains
The situation is: Due to an error in the JavaScript API implementation, the call to IndexedDB does not meet the “Same Origin” requirement. This, without going into more technical details, means that access to the database used by certain websites is not limited to the possibility for each website to access the information it has stored there, but rather other websites may view information recorded by third parties
Because of this, as can be seen in this demo of the concept, a website can know information about recent browsing. From which sites? Among those who use IndexedDB to store information. Google, being the most serious example, stores user id in this database
As we can see in the WebKit GitHub project, Apple has already created a commit of the solution. A solution that It must arrive with an update of the various operating systems and with a new version of Safari. We do not know the exact date of his arrival, but we risk signing that it must be soon.
It should be remembered that not all web pages interact with the IndexedDB database. Of the top 1,000 domains visited by Alexa, only 30 make it to the front page. It’s 3%. Still, that’s certainly not how Safari normally works, so for now we’ll keep an eye out for an update.
pictures | Philippe Katzenberger