Different file:// paths are not treated as different origins

[moughxyz]

Issue Details

Electron Version: 7.1.2 (but also same behavior on 5.x and 6.x)
Operating System: macOS 10.14.6

Expected Behavior

Different file:// paths should be treated as different origins, according to @MarshallOfSound's post here:

Unique file:// URLs are all considered on different origins for security reasons, this is the same behavior as a browser

However, different files appear to be able to share localStorage. I've attached a simple demo project.

index.html:

localStorage.setItem("foo", "bar");
console.log("Read value from index.html:", localStorage.getItem("foo"));
// Outputs "bar"

child.html (as iframe):

console.log("Read value from child.html:", localStorage.getItem("foo"));
// Outputs "bar", but should be null.

We expect child.html, which has a different file:// location, to not be able to read index.html's localStorage values.

Actual Behavior

child.html iframe is able to read the localStorage values that index.html set.

To Reproduce

Run this project:
electron-same-origin.zip

[moughxyz]

For the record, both the latest versions of Chrome and Safari behave similarly. They treat all files as having same origin. However, Firefox handles this correctly and gives a unique localStorage context to each unique file path.

Chrome:

Firefox:

[nornagon]

Unfortunately it's beyond the scope of the Electron project to change this behavior in Chromium. Please raise a bug upstream: https://crbug.com/new

[moughxyz]

Related threads:

https://bugs.chromium.org/p/chromium/issues/detail?id=794098, https://bugs.chromium.org/p/chromium/issues/detail?id=957695#c8

https://bugzilla.mozilla.org/show_bug.cgi?id=1500453

Looks like this issue is being actively discussed on the Chromium side, and just recently merged in Firefox 68.