[webkit-reviews] review granted: [Bug 199074] Storage Access API: Cap the number of times an iframe document can request access : [Attachment 372576] Patch

Thu Jun 20 12:08:21 PDT 2019

Brent Fulgham <bfulgham at webkit.org> has granted John Wilander
<wilander at apple.com>'s request for review:
Bug 199074: Storage Access API: Cap the number of times an iframe document can
request access
https://bugs.webkit.org/show_bug.cgi?id=199074

Attachment 372576: Patch

https://bugs.webkit.org/attachment.cgi?id=372576&action=review

--- Comment #5 from Brent Fulgham <bfulgham at webkit.org> ---
Comment on attachment 372576
  --> https://bugs.webkit.org/attachment.cgi?id=372576
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=372576&action=review

r=me

>>> Source/WebCore/dom/DocumentStorageAccess.h:69
>>> +	 void setWasExplicitlyDeniedFrameSpecificStorageAccess() {
++m_numberOfTimesExplicitlyDeniedFrameSpecificStorageAccess; };
>> 
>> This seems to increment count for all frames. So, if a page embedded a frame
from 'social.com', a second from 'video.com', and a third from 'music.com', the
'music.com' site might get blocked even though each frame had only asked for
permission once.
>> 
>> Is that a problem?
>> 
>> I'm trying to remember if storage access is gated on the user interacting
with the frame. Are we hitting these multiple requests when just loading the
page?
>> 
>> Would it be better to perform the counting at the {document, frame} pair,
instead of just all access requests of any kind incrementing a single top-level
document counter?
> 
> I don't think that's the case. The DocumentStorageAccess class supplements
Document and has a reference to the document it belongs to. So the count should
be for this document in the iframe. I tried to express this scope in the bug
title and explanation.

Ah! Understood. The Document here is the frame's document, not the overall
top-level document.

This is a good change. r=me.