This demo showcases information leaks resulting from an IndexedDB same-origin policy violation in WebKit (a browser engine primarily used in Safari, as well as all iOS and iPadOS web browsers). You can test this demo on all affected browsers: Safari 15 on macOS, or any browser on iOS and iPadOS 15.
The demo illustrates how any website can learn a visitor's recent and current browsing activity (pages visited in different tabs or windows) using this leak.
For authenticated visitors the demo can leak Google User IDs and profile pictures (if set).
Read our article or watch our screencast on YouTube for more information.
You need to install Node.js and Yarn to run the application.
To fetch Google profile pictures as part of the demo, you'll need to provide an People API key. To do that, rename the .env.example file to .env, open .env and add a valid key.
Open this directory in a terminal and run:
yarn install
yarn startWe use eslint to check the code style:
yarn lint