<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Non-persistent third party iframe localStorage"

   href="https://bugs.webkit.org/show_bug.cgi?id=168631">168631</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Non-persistent third party iframe localStorage

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>Safari 10

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>JavaScriptCore

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>malteubl&#64;google.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Safari behaves differently for localStorage accessed in third party context compared to other browsers in 2 fundamental ways:

1. Storage is scoped to the entire chain of iframes.

2. Storage is non-persistent. Data is deleted when browsers exit.

#1 seems great and working as intended, but while talking with John Wilander on Twitter we were wondering if #2 might be a bug. (<a href="https://twitter.com/johnwilander/status/833462485592125441">https://twitter.com/johnwilander/status/833462485592125441</a>)

Here is a simple test case <a href="http://output.jsbin.com/siwulo/1/quiet">http://output.jsbin.com/siwulo/1/quiet</a>

- Press +1 a few times

- Hit reload. Observe that count is kept.

- Restart Safari (Desktop or iOS)

- Load page again. Observe that count is 0 again.

Is this behavior intended? On Desktop where Safari may be running for many months and on mobile where it is very unpredictable when it restarts, this seems unpredictable with little actual privacy benefit.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>