John Wilander of Apple’s WebKit team:
The reason why we cap the lifetime of script-writable storage is simple. Site owners have been convinced to deploy third-party scripts on their websites for years. Now those scripts are being repurposed to circumvent browsers’ protections against third-party tracking. By limiting the ability to use any script-writeable storage for cross-site tracking purposes, ITP 2.3 makes sure that third-party scripts cannot leverage the storage powers they have gained over all these websites.
I remember when hotlinked third-party media on your website would get the picture replaced with something funny or disturbing — though there is nothing of the sort on the linked page. This paragraph is a reminder that it can be so much worse when you factor in the breadth of capabilities typically afforded to scripts.
It’s great to see the WebKit team continuing to treat privacy violations with the same gravity as security vulnerabilities; the two go hand-in-hand.