You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Sites can't tell that a single user is visiting on two different devices until the user enters sufficiently-identifying information into the site on both devices independently or otherwise expresses a desire to sign into the same account on both devices.
The ideal threat model would prevent cross-device correlation until the user intentionally signs into a single account on both devices, but it seems impossible for a browser to prevent users from, say, typing a credit card number or home address into the site on each device, which doesn't express the user's intent to share an account, but does let the site guess it's the same or a closely-related user.
I think the only practical effect is to ban browsers from sync'ing storage across devices without per-site user intent (?), but that's still worth writing down.
Roughly:
The ideal threat model would prevent cross-device correlation until the user intentionally signs into a single account on both devices, but it seems impossible for a browser to prevent users from, say, typing a credit card number or home address into the site on each device, which doesn't express the user's intent to share an account, but does let the site guess it's the same or a closely-related user.
I think the only practical effect is to ban browsers from sync'ing storage across devices without per-site user intent (?), but that's still worth writing down.