From 5c7c0a9a7acb5816fc59222c132af64b361a2b3f Mon Sep 17 00:00:00 2001 From: Tobias Eidelpes Date: Mon, 10 Aug 2020 18:12:47 +0200 Subject: [PATCH] Add reference for window.name property --- methods.tex | 32 ++++++++++++++++---------------- references.bib | 15 +++++++++++++-- 2 files changed, 29 insertions(+), 18 deletions(-) diff --git a/methods.tex b/methods.tex index 8496c2d..9b54931 100644 --- a/methods.tex +++ b/methods.tex @@ -193,22 +193,22 @@ individual parts to be altered when a specific event happens (e.g., user interaction). Furthermore, each object has properties which are either applied to all \gls{HTML} elements or only to a subset of all elements. -One useful property for tracking purposes is the \texttt{window.name} property. -Its original intention was to allow client-side JavaScript to get or set the -name of the current window. Since windows do not have to have names, the -window.name property is being used mostly for setting targets for hyperlinks and -forms. Modern browsers allow storing up to two megabytes of data in the -window.name property, which makes it a viable option for using it as a data -storage or---more specifically---maintaining session variables. In order to -store multiple variables in the window.name property, the values have first to -be packed in some way because only a single string is allowed. A \gls{JSON} -stringifier converts a normal string into a \gls{JSON} string which is then -ready to be stored in the \gls{DOM} property. Additionally, serializers can also -convert JavaScript objects into a \gls{JSON} string. Normally JavaScript's -same-origin policy prohibits making requests to servers in another domain, but -the window.name property is accessible from other domains and resistant to page -reloads. Maintaining a session across domains and without cookies is therefore -possible and multiple implementations exist +One useful property for tracking purposes is the \texttt{window.name} property +\cite{whatwgWindowNameHTML2020}. Its original intention was to allow +client-side JavaScript to get or set the name of the current window. Since +windows do not have to have names, the window.name property is being used mostly +for setting targets for hyperlinks and forms. Modern browsers allow storing up +to two megabytes of data in the window.name property, which makes it a viable +option for using it as a data storage or---more specifically---maintaining +session variables. In order to store multiple variables in the window.name +property, the values have first to be packed in some way because only a single +string is allowed. A \gls{JSON} stringifier converts a normal string into a +\gls{JSON} string which is then ready to be stored in the \gls{DOM} property. +Additionally, serializers can also convert JavaScript objects into a \gls{JSON} +string. Normally JavaScript's same-origin policy prohibits making requests to +servers in another domain, but the window.name property is accessible from other +domains and resistant to page reloads. Maintaining a session across domains and +without cookies is therefore possible and multiple implementations exist \cite{frankSessionVariablesCookies2008,zypWindowNameTransport2008}. \section{Storage-based Tracking Methods} diff --git a/references.bib b/references.bib index e2f6b35..520b092 100644 --- a/references.bib +++ b/references.bib @@ -1546,6 +1546,16 @@ The goal of the DOM specification is to define a programmatic interface for XML note = {Accessed 2020-02-27} } +@misc{whatwgWindowNameHTML2020, + title = {Window.Name - {{HTML Standard}}}, + author = {WHATWG}, + year = {2020}, + month = aug, + url = {https://html.spec.whatwg.org/multipage/window-object.html\#dom-name}, + urldate = {2020-08-10}, + note = {Accessed 2020-08-07} +} + @inproceedings{wondracekPracticalAttackDeanonymize2010, title = {A {{Practical Attack}} to {{De}}-Anonymize {{Social Network Users}}}, booktitle = {2010 {{IEEE Symposium}} on {{Security}} and {{Privacy}}}, @@ -1598,9 +1608,10 @@ The goal of the DOM specification is to define a programmatic interface for XML year = {2008}, month = jul, url = {https://www.sitepen.com/blog/windowname-transport/}, - urldate = {2020-02-10}, + urldate = {2020-08-10}, abstract = {The window.name transport is a new technique for secure cross-domain browser based data transfer, and can be utilized for creating secure mashups with untrusted sources. window.name is implemented in Dojo in the new dojox.io.windowName module, and it is very easy to make web services available through the window.name protocol. window.name works by loading a cross-domain \ldots}, - journal = {SitePen} + journal = {SitePen}, + note = {Accessed 2020-08-10} }