From 93fb015c0f5c3425d88494d29b87c461087016e3 Mon Sep 17 00:00:00 2001
From: hackademix <giorgio@maone.net>
Date: May 08 2022 07:06:20 +0000
Subject: Reset window.name on TLD+1 domain changes.


---

diff --git a/chrome/manifest.json b/chrome/manifest.json
index e5d6c43..b9b3ac4 100644
--- a/chrome/manifest.json
+++ b/chrome/manifest.json
@@ -7,8 +7,10 @@
         "nscl/common/log.js",
         "nscl/common/uuid.js",
         "nscl/common/SyncMessage.js",
+        "nscl/common/tld.js",
         "nscl/service/DocStartInjection.js",
         "nscl/service/TabCache.js",
+        "nscl/service/NavCache.js",
         "helpers.js",
         "session_hash.js",
         "update.js",
@@ -80,6 +82,7 @@
     "tabs",
     "webRequest",
     "webRequestBlocking",
+    "webNavigation",
     "<all_urls>",
     "notifications"
   ],
diff --git a/common/level_cache.js b/common/level_cache.js
index ac3620b..b370838 100644
--- a/common/level_cache.js
+++ b/common/level_cache.js
@@ -39,7 +39,7 @@ function getContentConfiguration(url, frameId, tabId) {
 				 *
 				 * Suppose that there is an iframe from domain C nested in an iframe from
 				 * domain B that is iself nested in a visited domain A.
-				 * 
+				 *
 				 * +------------------------------------------------------------+
 				 * | visited domain a.example                                   |
 				 * |                                                            |
@@ -53,7 +53,7 @@ function getContentConfiguration(url, frameId, tabId) {
 				 * | |                                                        | |
 				 * | +--------------------------------------------------------+ |
 				 * +------------------------------------------------------------+
-				 * 
+				 *
 				 * Suppose that B has a user-defined specific level settings, and C does
 				 * not have a user-defined specific level settings. The iframe of domain B
 				 * gets the user-defined settings for domain B but the iframe from domain C
@@ -118,3 +118,26 @@ DocStartInjection.register(async ({url, frameId, tabId}) => {
 		console.debug("DocStartInjection while doc", document.readyState);
 		`;
 });
+
+NavCache.onUrlChanged.addListener(({tabId, frameId, previousUrl, url}) => {
+	let toDomain = url => {
+		try {
+			let {hostname} = new URL(url);
+			return hostname && tld.getDomain(hostname) || "";
+		} catch (e) {
+			return "";
+		}
+	}
+	if (toDomain(previousUrl) === toDomain(url)) return;
+	(async () => {
+		let configuration = await getContentConfiguration(url, frameId, tabId);
+		if (configuration.currentLevel.windowname) {
+			browser.tabs.executeScript(tabId, {
+				code: `window.name = "";`,
+				frameId,
+				runAt: "document_start",
+				matchAboutBlank: true,
+			});
+		}
+	})();
+});
\ No newline at end of file
diff --git a/common/levels.js b/common/levels.js
index 26e1a8f..f687569 100644
--- a/common/levels.js
+++ b/common/levels.js
@@ -645,8 +645,8 @@ var wrapping_groups = {
 		{
 			name: "windowname",
 			label: "Persistent identifier of the browser tab",
-			description: "Clear window.name value on the webpage loading.",
-			description2: ["This API might be occasionally used for benign purposes.", "This API provides a possibility to detect cross-site browsing in one tab and broser session."],
+			description: "Clear window.name value on TLD+1 domain changes.",
+			description2: ["This API might be occasionally used for benign purposes.", "This API provides a possibility to detect cross-site browsing in one tab and browser session."],
 			params: [
 				{
 					short: "Strict",
diff --git a/common/wrappingS-HTML.js b/common/wrappingS-HTML.js
index af33272..5e9bac8 100644
--- a/common/wrappingS-HTML.js
+++ b/common/wrappingS-HTML.js
@@ -25,7 +25,7 @@
 /** \file
  * \ingroup wrappers
  *
- * `window.name` prvides a simple cross-origin tracking method of the same tab:
+ * `window.name` provides a simple cross-origin tracking method of the same tab:
  *
  * ```js
  * window.name = "8pdRoEaQCpsjtC8w07dOy7xwXjXrHDyxxmPWBUxQKrh7xfJ4SYFH8QClp6U9T+Ypa8IEa5AwFw3x"
@@ -49,7 +49,7 @@
 			parent_object: "window",
 			parent_object_property: "name",
 			wrapped_objects: [],
-			helping_code: "window.name = '';",
+			helping_code: "/* window.name = ''; */", // we actually do this  in level_cache.js on TLD+1 domain changes
 		},
 	]
 	add_wrappers(wrappers);
diff --git a/firefox/levels_browser.js b/firefox/levels_browser.js
index 348ee4a..7fa1d29 100644
--- a/firefox/levels_browser.js
+++ b/firefox/levels_browser.js
@@ -22,11 +22,12 @@
 var modify_wrapping_groups = function() {
 	wrapping_groups.groups.forEach(function (group) {
 		if (group.name === "windowname") {
-			group.description2.push("Firefox 88 and above already protects you. However, Firefox allows an origin to share information between separate pages, use the strict protection if you do not want an origin to use window.name to share information between pages of the same origin.")
+			group.description2.push("Firefox 88 and above already protects you.")
 		}
 	});
 };
 var modify_builtin_levels = function() {
 	delete level_2.windowname;
 	delete level_3.windowname;
+	delete level_4.windowname;
 }
diff --git a/firefox/manifest.json b/firefox/manifest.json
index 3264c3a..a98d4d0 100644
--- a/firefox/manifest.json
+++ b/firefox/manifest.json
@@ -4,11 +4,13 @@
       "scripts": [
         "nscl/lib/browser-polyfill.js",
         "nscl/service/TabCache.js",
+        "nscl/service/NavCache.js",
         "nscl/service/DocStartInjection.js",
         "nscl/lib/sha256.js",
         "nscl/common/log.js",
         "nscl/common/uuid.js",
         "nscl/common/SyncMessage.js",
+        "nscl/common/tld.js",
         "helpers.js",
         "session_hash.js",
         "update.js",
diff --git a/nscl b/nscl
index fa49ecb..cead3ec 160000
--- a/nscl
+++ b/nscl
@@ -1 +1 @@
-Subproject commit fa49ecb52140aa80db30a7fa834f6358acc94a13
+Subproject commit cead3ec8eabae1638432011335cd914b91124b50