[Webkit-unassigned] [Bug 216922] ITP breaks login to bookmarklets

Fri Sep 25 19:16:08 PDT 2020

https://bugs.webkit.org/show_bug.cgi?id=216922

--- Comment #1 from John Wilander <wilander at apple.com> ---
(In reply to jena from comment #0)
> This issue applies to both Safari 13 and the new Epiphany 3.38.0 (with
> WebKitGTK 2.30.1). It works fine with other browsers (even Firefox with
> strict tracking protection).
> 
> I use several bookmarklets (pieces of javascript, saved as bookmarks, that
> allow to manipulate the currently viewd website), that require login to a
> service. When I try to login to the service from the bookmarklet, it doesn't
> work because cookies don't go through.
> 
> One example bookmarklet is Diigolet [1] - it allows saving websites to my
> Diigo library, make annotations, higlight text, add sticky notes etc.
> (similar to Evernote). When I find a website that I want to save and
> annotate, I would open the bookmarklet from my bookmarks menu and login
> (usually I login just once). Login page opens in a new tab, and after
> successful login I would return to the page I want to save. However this
> fails in Safari and Epiphany with ITP enabled and the bookmarklet stays
> logged out.
> 
> Another bookmarklet experiencing this problem is Mendeley (a reference
> manager, which allows collection of scientific papers and citations through
> browser plugin/bookmarklet). This bookmarklet explicitly complains about
> 3rd-party cookies being blocked. I used to have this issue years ago in
> Chrome after I started blocking 3rd-party cookies, and I resolved it by
> whitelisting the domain of Mendeley.
> 
> However whitelisting of domains does not seem to be available in either
> Safari nor Epiphany. One of the maintainers of Epiphany mentioned that this
> would require work in Webkit itself [2]. Would it be possible to implement
> support for user-defined whitelist of domains that would be excluded from
> ITP?
> 
> Note that the javascript snippets in bookmarklets are not active at all
> times and are only invoked when the user specifically wishes to use their
> functionality (in my case saving to cloud service/personal library).
> Moreover, even login to services like Disqus does have similar issues (login
> page opens in a new tab, but the service seems loged out after returning to
> the original page with Disqus comment section).
> 
> [1] https://www.diigo.com/tools/diigolet
> [2]
> https://blogs.gnome.org/mcatanzaro/2020/09/16/epiphany-3-38-and-webkitgtk-2-
> 30/#comment-19098

Hi, and thanks for filing!

We use the term allow list for what you're describing.

The person you talked to is right in that there is no current support for exempting a specific domain from third-party cookie blocking globally. Instead, the third-party needs to call the Storage Access API and ask for the user's permission. Web extensions have some form of opt out but I do not think it's a per-domain thing.

We don't offer per-site or global exceptions since we believe it would drive websites to pressure users to opt out of privacy protections.

As for comparison with other browsers, Safari and the Tor Browser (and quite possibly Epiphany, based on your report) are the only browsers that block all third-party cookies by default. There is one browser I know of that blocks all third-party cookies *with a few exceptions*. The rest with some form of tracking prevention, including Firefox, *allow* all third-party cookies by default and then block based on a list.

The goal is to fully deprecate third-party cookies outside cases where the user opts in. I don't know what it would take technically to allow bookmarklets to get an exception, or if that's a good idea.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200926/32a7cb22/attachment.htm>