Website can track between normal and private tab

[VMBindraban]

Description

A normal tab shares data with private tab that is accessible by websites (and thus tracking)

Steps to Reproduce

1. Go to https://www.nothingprivate.ml/
2. Fill in random name
3. Open https://www.nothingprivate.ml/ in private window
4. It knows what your name is.

This also works the other way around, going from private to normal.

Actual result:

Website can identify/track between normal and private tab.

Expected result:

Not to share data between normal and private tab that is accessible by websites.

Reproduces how often:

Easily reproduced

Brave version (brave://version info)

Brave	0.57.18 Chromium: 71.0.3578.80 (Official Build) (64-bit)
Revision	2ac50e7249fbd55e6f517a28131605c9fb9fe897-refs/branch-heads/3578@{#860}
OS	Mac OS X

Reproducible on current release:

• Does it reproduce on brave-browser dev/beta builds?

Not tested.

Website problems only:

• Does the issue resolve itself when disabling Brave Shields? No.
• Is the issue reproducible on the latest version of Chrome? Yes.

Additional Information

It seems that they generate a fingerprint and store it.
The fingerprint on a normal tab is the same as in the private tab.

[diracdeltas]

This also works the other way around, going from private to normal.

This is the more serious case; normal to private is expected since some state last I checked (like HSTS) is inherited in private tabs from normal tabs.

As OP notes this is also an issue in Chrome but maybe we should fix independently.

[tildelowengrimm]

I don't think this is state sharing; it seems to be fingerprinting. In dev version 59.5 on MacOS with first-party fingerprinting protection turned on, I can't repro.