This is interesting. State-sponsored hackers, red team, stolen security tools, all those combined could be a great movie.

So I thought I have found a bug of Firefox, which treats sessionStorage differently than Google. I found on Firefox that when the page was directed to another url, the sessionStorage was freed immediately. At first I thought it was a bug of Firefox. To get around of it, I use localStorage instead, and send the author a pull request. But the original author reminded me that he hadn't found such problem on Firefox. Than it occurred to me that it might be my problem. So I looked into my code again, did find the problem. It turns out I am using sessionStorage inside an iframe, when change the url of the top window, then on Firefox the storage is freed immediately as the session is lost.

Well written, both the article and the code. A little bit spoiler, I am also working on Spotify...