[Webkit-unassigned] [Bug 196592] Cookies not sent with third party requests via XHR or iFrame
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Jan 26 09:32:56 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=196592
--- Comment #7 from John Wilander <wilander at apple.com> ---
(In reply to Sam Potts from comment #6)
> The problem with using the Storage Access API is it requires a user gesture
> and we have an invisible frame/xhr request checking the users authentication
> status. It also has no mention of XHR or fetch requests. Until a more well
> thought out solution comes along we'll just have to continue to recommend
> that users avoid Safari for our application which is a shame.
It’s intentional that it requires a user gesture. Otherwise all trackers and third-parties would just invisibly call it and we’d be back a square zero. We might as well not have the API at that point, right? I assume you mean some other restriction. Please share how you think this could keep the user in control, limit prompting to a the few third-parties that the user may be logged in to, while still preventing invisible cross-site tracking.
XHR/Fetch within the iframe get cookies if the third-party is granted access. If you’d prefer some other behavior, please explain your use case(s) in the discussion on standardization of the Storage Access API. It’s hopefully moving to the new W3C Privacy Community Group soon.
You should expect third-party cookies to be obsoleted fully across all mainstream browsers in less than two years. Chrome announced about two weeks ago they will disable them within two years.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200126/a8931b53/attachment.htm>
More information about the webkit-unassigned
mailing list