[Webkit-unassigned] [Bug 185615] New: Storage Access API: Allow documents that have been granted storage access to also do a popup

Mon May 14 10:39:15 PDT 2018

https://bugs.webkit.org/show_bug.cgi?id=185615

            Bug ID: 185615
           Summary: Storage Access API: Allow documents that have been
                    granted storage access to also do a popup
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: bfulgham at webkit.org

Feedback from potential clients of the Storage Access API pointed out the following problem: If a user grants storage access permission to a third party site, but that third party content does not have its expected local state (e.g., local login cookies or other important state), they will not gain access to their expected data. Without Storage Access API use, they could use the user gesture (generated by clicking in the iframe) to trigger a pop-up window to perform a login. With Storage Access API, the user gesture is consumed, and they lose this ability.

We should revise the Storage Access API so that a successful granting of Storage Access API permissions re-enables the UserGestureIndicator state so that the storage access API client can perform a login if they need to.

To avoid abuse, we should make this a one-time gesture, so that abusers cannot chain a series of events within the context of the Storage Access API grant.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180514/1daea89c/attachment.html>