[Webkit-unassigned] [Bug 185372] Intelligent Tracking Prevention blocking Norwegian BankID authentication service

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 9 01:38:40 PDT 2018


--- Comment #3 from Kristoffer Skaret <kristoffer.skaret at kantega.no> ---
Hi John Wilander.
Thanks for the tip.

The Storage Access API is clearly a step in the right direction. It seems to be a helpful solution to allow embedding of cross-site content in an iframe, and I think we can take benefit from it in some cases. But unfortunately it does not completely fulfill our needs.

To be clear, here is a quick overview of our needs:
- The service must be able to load both in an iframe or as a top level frame (through new window or redirect)
- The service needs access to cookies.
- The service must work without user interaction. In fact one of the main features is to be able to authenticate the user without any user interaction.
- The service is triggered from a large and increasing number of different domains.

Our challenge is that ITP limits the access to cookies even if the service is loaded in the browser’s top frame.

Do you have any other suggestions, or possible solutions? 
For instance, is there any possibility to «whitelist» our domain from ITP in any way?

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180509/eee31242/attachment.html>

More information about the webkit-unassigned mailing list