[Webkit-unassigned] [Bug 225297] ITP: Storage on subdomains of the same eTLD+1 is incorrectly partitioned

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 5 00:46:32 PDT 2021


https://bugs.webkit.org/show_bug.cgi?id=225297

--- Comment #8 from Mattias Svanström <mmso at protonmail.com> ---
IMHO this should be considered a real bug, despite not being a regression, as the documentation makes more sense than the behavior.
In particular, cookies are correctly partitioned by eTLD+1, and an iframe can access subdomain-specific cookies even if it's embedded under a different subdomain in the same eTLD+1. And if it's embedded under a different eTLD+1, it can use the Storage Access API to get access to its cookies.
However, an iframe can't access its own LocalStorage if it's embedded under a different subdomain in the same eTLD+1. Using the Storage Access API also has no effect, presumably because that API correctly detects that the iframe is embedded under the same eTLD+1, so there should be no need to use this API.

In the ProtonMail web app, we would prefer to use LocalStorage rather than cookies, as we don't want this data to be sent to the server (for privacy reasons). The current behavior seems to push web developers towards cookies rather than LocalStorage, for no good reason, as far as we can tell.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210505/64edb388/attachment.htm>


More information about the webkit-unassigned mailing list