[Webkit-unassigned] [Bug 219582] New: hasStorageAccess() should return false for embedded documents that have never set cookies in the first-party context
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Dec 6 10:08:46 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=219582
Bug ID: 219582
Summary: hasStorageAccess() should return false for embedded
documents that have never set cookies in the
first-party context
Product: WebKit
Version: Safari Technology Preview
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: DOM
Assignee: webkit-unassigned at lists.webkit.org
Reporter: senglehardt at mozilla.com
Tested in Safari Tech Preview v 14.1.
STR (on a clean profile):
1. Go to https://englehardt-tracker.com/index.html and interact with the page
2. Go to https://senglehardt.com/test/dfpi/storage_access_api.html.
3. In the third iframe from englehardt-tracker.com, click requestStorageAccess(). Click allow in the storage access prompt.
4. Click hasStorageAccess()
Expected result: hasStorageAccess() returns `false`. Though englehardt-tracker.com was previously visited as a first party (and received user interaction), it did not set cookies as a first party. Thus Safari will still prevent it from setting or retrieving cookies, even after the user has approved storage access via requestStorageAccess.
Actual result: hasStorageAccess() returns `true`, but the embedded frame is unable to set / retrieve cookies.
>From a developer perspective it might actually make more sense to add the additional cookie restriction as another requirement for requestStorageAccess(). I.e., automatically deny requestStorageAccess if the requesting origin hasn't been visited, interacted with, and set a cookie as a first party. Alternatively you could consider unblocking cookies after a successful call to requestStorageAccess(), even if the embedded origin had never set a cookie in the first-party context.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201206/51d03a9d/attachment.htm>
More information about the webkit-unassigned
mailing list