[Webkit-unassigned] [Bug 185372] Intelligent Tracking Prevention blocking Norwegian BankID authentication service

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon May 14 10:51:39 PDT 2018


--- Comment #4 from John Wilander <wilander at apple.com> ---
(In reply to Kristoffer Skaret from comment #3)
> Hi John Wilander.
> Thanks for the tip.
> The Storage Access API is clearly a step in the right direction. It seems to
> be a helpful solution to allow embedding of cross-site content in an iframe,
> and I think we can take benefit from it in some cases. But unfortunately it
> does not completely fulfill our needs.
> To be clear, here is a quick overview of our needs:
> - The service must be able to load both in an iframe or as a top level frame
> (through new window or redirect)
> - The service needs access to cookies.
> - The service must work without user interaction. In fact one of the main
> features is to be able to authenticate the user without any user interaction.
> - The service is triggered from a large and increasing number of different
> domains.
> Our challenge is that ITP limits the access to cookies even if the service
> is loaded in the browser’s top frame.
> Do you have any other suggestions, or possible solutions? 
For instance, is
> there any possibility to «whitelist» our domain from ITP in any way?

The list of requirements you provide are things that allow cross-site tracking. That's exactly how cross-site tracking works.
   Our proposed solution is to adopt the Storage Access API and see how it works out for your customers. If there are enhancements to it that you think we can implement without opening up for cross-site tracking, we will absolutely take those into consideration. But any changes have to stand up against abuse cases and be something the user can understand.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180514/4887210e/attachment.html>

More information about the webkit-unassigned mailing list