[Webkit-unassigned] [Bug 196318] New: REGRESSION: [ITP 2.1] Storage access not granted to the original page after user interacts with the Google Sign-In popup
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 27 14:46:37 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=196318
Bug ID: 196318
Summary: REGRESSION: [ITP 2.1] Storage access not granted to
the original page after user interacts with the Google
Sign-In popup
Product: WebKit
Version: Safari Technology Preview
Hardware: Macintosh
OS: macOS 10.14
Status: NEW
Severity: Major
Priority: P2
Component: WebKit Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: satoshioono8 at gmail.com
We recently noticed an issue starting from STP 77 (and STP 78) where storage access isn't granted even when the popup is not auto-dismissed.
More specifically: document.hasStorageAccess() still returns false after the popup is closed with a user interaction.
This seems to be in conflict with the "Removed Compatibility Fix for Popups" section in the ITP 2.1 blog post (https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/), where the access would be granted if the popup is not auto-dismissed. Therefore I think this is a bug.
Here are the reproduce steps.
1. Make sure that the 3rd party domain is considered prevalent, in this case, google.com.
2. Open a website implementing Google Sign In. For example, let’s use soundcloud.com.
3. Click on the signin button up top. This would load the iframe under the accounts.google.com domain.
4. Open the console and change the scope to sslFrame_google (iframe). Run document.hasStorageAccess(). As expected this would resolve to false.
5. Click on “Continue with Google”. A popup under accounts.google.com will be opened. Interact with the popup by clicking on a signed in Google account or signing in a new one. The popup will then close.
6. On the opening browser, the page will not sign in the user and will appear as if nothing happened.
7. If you run document.hasStorageAccess() again under the sslFrame_google (iframe) scope, the promise would still resolve to false.
Please let me know if we could help to reproduce this issue!
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190327/c224374d/attachment-0001.html>
More information about the webkit-unassigned
mailing list