[Webkit-unassigned] [Bug 209547] Cookies can be sent to a 3rd party context

Wed Mar 25 10:25:50 PDT 2020

https://bugs.webkit.org/show_bug.cgi?id=209547

John Wilander <wilander at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |wilander at apple.com

--- Comment #1 from John Wilander <wilander at apple.com> ---
Thanks so much for filing, Eric! We appreciate developers and other browser engineers having a look at our features and letting us know about any unexpected behavior or bugs.

I did testing with your test rig and I believe you are hitting our temporary compatibility fix for popups.

If a debugtheweb.com window is opened from enhanceie.com via window.open(), and the debugtheweb.com child window gets user interaction, third-party cookie access is opened up for debugtheweb.com under the parent page from enhanceie.com. This is to allow legacy federated login flows to still work and originally shipped in 2018 (see "Temporary Compatibility Fix: Automatic Storage Access for Popups" in https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/) and was later restricted with the user interaction requirement in the popup/child window (see "Removed Compatibility Fix for Popups" in https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/). This compatibility measure has also been added to the explainer in the standardization process of the Storage Access API: https://github.com/privacycg/storage-access/blob/master/README.md#compatibility-measure

With this information, could you confirm that what you're seeing is expected behavior? Thanks!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200325/897c9034/attachment.htm>