https://github.com/samouri/chrome-incognito-storage-bug

Chrome treating differnet ports as the same origin
https://github.com/samouri/chrome-incognito-storage-bug

Last synced: about 1 year ago
JSON representation

Chrome treating differnet ports as the same origin

• Host: GitHub
• URL: https://github.com/samouri/chrome-incognito-storage-bug
• Owner: samouri
• Created: 2020-11-18T00:37:00.000Z (over 5 years ago)
• Default Branch: main
• Last Pushed: 2020-11-18T17:36:46.000Z (over 5 years ago)
• Last Synced: 2025-01-26T03:41:12.382Z (over 1 year ago)
• Language: HTML
• Size: 2.93 KB
• Stars: 0
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# chrome-incognito-storage-bug

- Chrome blocks crossorigin iframes from accessing `localStorage` and `sessionStorage` when in incognito mode.

- The port is supposed to be part of what determines whether an iframe is same-origin. When accessing the same url on a different port, it should be considered crossorigin.

- This repository shows that Chrome is allowing storage access in incognito window when using a domain that varies only in port.

## To reproduce

1. Map also.localhost to 127.0.0.1 in your /etc/hosts file.

2. Run two HTTP Servers (e.g. `npx http-server`). One on port 3001 and the other on 3002.

3. Open index.html in incognito window and check the Developer Console. The `storage.js` script prints whether or not Storage is usable.

## Browser Results

**Chrome**

- iframe at `also.localhost` does not have access to storage.

- iframe at `localhost:3002` (other port) *does*.

**Safari**

- both iframes have storage access

**Firefox**

- both iframes have storage access.