[Webkit-unassigned] [Bug 241803] Safari throws exception when calling requestStorageAccess
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jul 1 06:45:44 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=241803
--- Comment #24 from John Wilander <wilander at apple.com> ---
(In reply to Jason Wilson from comment #23)
> Unfortunately it makes it useless for our cross-domain authentication. Is
> there something in the proposed standard that allows for sites to opt out of
> the ITP if they control both domains -- perhaps allow iframes sandboxed with
> allow-same-origin to access 1st party storage.
There is no such affordance since there is no trustworthy way for a browser to know that two domains belong to the same company.
> Our company has grown significantly in the last 2 years through acquisition
> and right now consolidating under a single domain isn't an option.
> Cross-domain authentication is an intermediate step for us while we
> implement other auth schemes that don't use 3rd party cookies, but it's a
> necessary step.
A major challenge here, which has been discussed at length in web standards, is that users have no reasonable way of knowing that two domains belong to the same company. Users also don’t expect a login on one site to invisibly log them in on another.
We typically advice developers to establish login tokens on the first party website where the user interacts instead of trying to maintain it as third-party. You make a transaction between the domains and then keep the login state as first party website.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220701/b414b121/attachment-0001.htm>
More information about the webkit-unassigned
mailing list