[Webkit-unassigned] [Bug 202640] New: [Safari 13] Tracking blocking breaks remembering login on editor.construct.net

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 7 09:59:24 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=202640

            Bug ID: 202640
           Summary: [Safari 13] Tracking blocking breaks remembering login
                    on editor.construct.net
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ashley at scirra.com

In Safari, the "Prevent cross-site tracking" setting breaks our site from remembering the user's login state. In our case I believe Safari ought to have reasonable heuristics to allow the case.

Steps to reproduce:

1. Register an account on construct.net (it's free)
2. Visit editor.construct.net
3. Choose Menu - Account - Log in
4. Enter login details, tick "Keep me logged in", and click "Log in"
5. Once logged in, reload the page

Expected result: login remembered
Observed result: login forgotten and reverts to guest state; user has to log in again

Turning off "Prevent cross-site tracking" in preferences fixes it and allows it to work again.

As a security defense-in-depth, our login form is on a different origin to the web app. The app is on editor.construct.net and the login form is on account.construct.net. Therefore the user is interacting with a cross-origin iframe, typing in their password, and submitting this to that origin. However Safari still blocks the attempt for this origin to remember the login state.

I completely understand the desire to block the ability for third-party ads to track users and similar user-hostile cases, but in this case it seems Safari has gone too far. Surely typing in your login details to an iframe ought to be considered sufficient interaction to allow storage? It works in Firefox 69, as well as Chrome.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191007/d041d723/attachment-0001.html>

More information about the webkit-unassigned mailing list