[Webkit-unassigned] [Bug 216922] New: ITP breaks login to bookmarklets

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Sep 24 04:04:19 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=216922

            Bug ID: 216922
           Summary: ITP breaks login to bookmarklets
           Product: WebKit
           Version: Safari 13
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: cicas at seznam.cz

This issue applies to both Safari 13 and the new Epiphany 3.38.0 (with WebKitGTK 2.30.1). It works fine with other browsers (even Firefox with strict tracking protection).

I use several bookmarklets (pieces of javascript, saved as bookmarks, that allow to manipulate the currently viewd website), that require login to a service. When I try to login to the service from the bookmarklet, it doesn't work because cookies don't go through.

One example bookmarklet is Diigolet [1] - it allows saving websites to my Diigo library, make annotations, higlight text, add sticky notes etc. (similar to Evernote). When I find a website that I want to save and annotate, I would open the bookmarklet from my bookmarks menu and login (usually I login just once). Login page opens in a new tab, and after successful login I would return to the page I want to save. However this fails in Safari and Epiphany with ITP enabled and the bookmarklet stays logged out.

Another bookmarklet experiencing this problem is Mendeley (a reference manager, which allows collection of scientific papers and citations through browser plugin/bookmarklet). This bookmarklet explicitly complains about 3rd-party cookies being blocked. I used to have this issue years ago in Chrome after I started blocking 3rd-party cookies, and I resolved it by whitelisting the domain of Mendeley.

However whitelisting of domains does not seem to be available in either Safari nor Epiphany. One of the maintainers of Epiphany mentioned that this would require work in Webkit itself [2]. Would it be possible to implement support for user-defined whitelist of domains that would be excluded from ITP?

Note that the javascript snippets in bookmarklets are not active at all times and are only invoked when the user specifically wishes to use their functionality (in my case saving to cloud service/personal library). Moreover, even login to services like Disqus does have similar issues (login page opens in a new tab, but the service seems loged out after returning to the original page with Disqus comment section).

[1] https://www.diigo.com/tools/diigolet
[2] https://blogs.gnome.org/mcatanzaro/2020/09/16/epiphany-3-38-and-webkitgtk-2-30/#comment-19098

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200924/b2afa798/attachment-0001.htm>

More information about the webkit-unassigned mailing list