Without this policy, malicious sites—say, badguy.example.com—could access login credentials for Google or another trusted site when it’s open in a different browser window or tab.

As a demo site graphically reveals, it’s trivial for one site to learn the domains of sites open in other tabs or windows, as well as user IDs and other identifying information associated with the other sites.

It lets arbitrary websites learn what websites the user visits in different tabs or windows.

Attacks work on Macs running Safari 15 and on any browser running on iOS or iPadOS 15.

When logged in to a Google account open elsewhere, for instance, the demo site can obtain the internal identifier Google uses to identify each account.

This allows one site to learn in real time what other websites a user is visiting.

By embedding the iframe or popup into its HTML code, a site can open another site in order to cause an IndexedDB-based leak for the site.

“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session,” Bajanik wrote.

“Windows and tabs usually share the same session, unless you switch to a different profile, in Chrome for example, or open a private window.”.

For now, people should be wary when using Safari for desktop or any browser running on iOS or iPadOS.