Orion Version 0.99.121.1-beta (WebKit 614.1.20)
on Ventura 13.0.1 (22A400)
Created a new browser profile (entirely empty)
Visited https://browseraudit.com and proceeded with default settings
The "critical" reports are all relating to same origin policy:
- 1x cookie illegal domain value (a cookie set for domain
.test.browseraudit.com, set by domain
browseraudit.com was sent to
- 12x XHR-related ones, which seem to be saying that (in short) as long as served over HTTPS, websites could make XHR requests to other domains and subdomains, which shouldn't be possible.
My understanding is that these requests indeed should be blocked, to prevent XHR across domains.
If I repeat this in "private browsing" mode in Orion, I get:
Therefore I think there are some settings that private browsing applies which resolve some of these issues. I imagine that private mode has some stricter SOP rules, which other browsers are applying by default.
For comparison, STP in regular non-private mode (Release 158 (Safari 16.4, WebKit 186220.127.116.11.1))