[Webkit-unassigned] [Bug 189952] Intelligent Tracking Prevention preventing BBC.co.uk sign in

Fri Sep 28 08:33:48 PDT 2018

https://bugs.webkit.org/show_bug.cgi?id=189952

--- Comment #5 from marc.burrows at bbc.co.uk ---
(In reply to John Wilander from comment #2)

Hi again John,

Soon after my last message I think we worked out what is happening. And it seems like it is related to the iFrame as you suggested. I forgot this part of our flows!

*We have this flow:*
- User arrives on a bbc.co.uk page and is in need of a token refresh
- The token refresh is done in an iFrame on a bbc.co.uk page, but in order to make sure that they are a valid user we do a redirect (in the iFrame) and make sure that a cookie exists on account.bbc.com
- If that cookie doesn't exist, then we sign the user out
- This redirects the user (in the iFrame) to a sign out end point on session.bbc.co.uk and updates the various cookies we use to check if the user is signed in, to a date in the past (to expire them)
- The user is then redirected (in the iFrame) to the same sign out end point, but this time on session.bbc.com, the cookies on this domain which do the same as the above are then updated to a date in the past as well (to expire them).

*Questions on this flow:*
- Does it seem like this flow would be affected by ITP because we are updating the cookies from a different domain, from within an iFrame?

- It looks like most of the cookies on bbc.co.uk and session.bbc.co.uk that we expire in this flow are blank and session cookies - hence we assume they are partitioned (please confirm). Does this sound like something ITP would do?

- If we are trying to expire cookies on bbc.com through an iFrame on a bbc.co.uk page, then should ITP:
a) Partition the cookies on bbc.com
b) Just not update (expire) the cookies
c) Purge the cookies

- If we were to implement the Storage Access API do we need to request user interaction with bbc.com? In the docs here - https://webkit.org/blog/8124/introducing-storage-access-api/ - we can see that it says:
"The iframe needs to be processing a user gesture at the time of the API call."

But we do a background client side token refresh in the iFrame and it has no user interaction. Is there a suggested solution for this in our situation, because it seems like the examples require a user interaction (be it with a button or something else) and this is done in the background?

Thanks

Marc

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180928/c7a66758/attachment.html>