Safari 15 Does Not Respect Same-Origin Policy for IndexedDB, Permitting Extraordinary Cross-Site Tracking

Martin Bajanik, of FingerprintJS:

In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session. Windows and tabs usually share the same session, unless you switch to a different profile, in Chrome for example, or open a private window. For clarity, we will refer to the newly created databases as “cross-origin-duplicated databases” for the remainder of the article.

I know I just wrote it in the headline, but this is an extraordinary bug. Michael Tsai points to a November 2021 WebKit bug report that has since been access-restricted.

You know what is most wild about this for me? I came across this bug when working on some web development last autumn, but I assumed I must be misinterpreting what I was seeing because there was no way such a critical vulnerability would be so transparently visible. Alas.

According to Bajanik, some patches were committed to WebKit this weekend that should fix this bug. That is the good news. The bad news is that this same bug is present in every implementation of Safari 15’s engine, including every iOS browser since they all use the same engine, and no software updates have been issued to fix this vulnerability.

Update: The updates to MacOS, iOS, and iPadOS that will be released shortly contain a fix for this bug.