For the past four months, Apple’s iOS and iPadOS devices and Safari browser have violated one of the Internet’s most sacrosanct security policies. The violation results from a bug that leaks user identities and browsing activity within real time.
The same-origin policy is a foundational security mechanism that forbids documents, scripts, or other content loaded from one origin—meaning the protocol, domain name, and port of a given webpage or app—from interacting with resources from other origins. Without this policy, malicious sites—say, badguy. example. com—could access login credentials for Google or another trusted site when it’s open in the different browser window or tab.
Obvious privacy violation
Since September’s release of Safari 15 and iOS and iPadOS 15, this plan has been broken wide open, research published late last week found. As a demo site graphically reveals, it’s trivial for one site to learn the domains of sites open in other tabs or windows, as well as consumer IDs and other identifying information associated with the other sites.