[Webkit-unassigned] [Bug 219582] New: hasStorageAccess() should return false for embedded documents that have never set cookies in the first-party context

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Dec 6 10:08:46 PST 2020


https://bugs.webkit.org/show_bug.cgi?id=219582

            Bug ID: 219582
           Summary: hasStorageAccess() should return false for embedded
                    documents that have never set cookies in the
                    first-party context
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: senglehardt at mozilla.com

Tested in Safari Tech Preview v 14.1.

STR (on a clean profile):
1. Go to https://englehardt-tracker.com/index.html and interact with the page
2. Go to https://senglehardt.com/test/dfpi/storage_access_api.html.
3. In the third iframe from englehardt-tracker.com, click requestStorageAccess(). Click allow in the storage access prompt.
4. Click hasStorageAccess()

Expected result: hasStorageAccess() returns `false`. Though englehardt-tracker.com was previously visited as a first party (and received user interaction), it did not set cookies as a first party. Thus Safari will still prevent it from setting or retrieving cookies, even after the user has approved storage access via requestStorageAccess.

Actual result: hasStorageAccess() returns `true`, but the embedded frame is unable to set / retrieve cookies.

>From a developer perspective it might actually make more sense to add the additional cookie restriction as another requirement for requestStorageAccess(). I.e., automatically deny requestStorageAccess if the requesting origin hasn't been visited, interacted with, and set a cookie as a first party. Alternatively you could consider unblocking cookies after a successful call to requestStorageAccess(), even if the embedded origin had never set a cookie in the first-party context.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201206/51d03a9d/attachment.htm>


More information about the webkit-unassigned mailing list