[Webkit-unassigned] [Bug 241803] New: Safari throws exception when calling requestStorageAccess

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jun 21 06:59:34 PDT 2022


            Bug ID: 241803
           Summary: Safari throws exception when calling
           Product: WebKit
           Version: Safari 15
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jason.wilson at flashparking.com

I have to say Safari's (webkit) implementation of Intelligent Tracking Protection (ITP) and the Storage Access API has been challenging to get right.

- We have a company that has grown through acquisition and we are trying to implement a unified authentication scheme that uses cross-domain access to tokens stored in cookies 
- Each portal implementing the scheme will have an iframe that hosts a component from an authentication domain and will use **postMessage()** to check for the existence of the necessary authentication token.
- The initial implementation worked for Chrome/Edge/Opera/other Chromium browsers, but needed to be adjusted to implement the Storage Access API to allow the authentication component to request 1st party storage access.
- This worked as documented in Firefox
- Safari throws an exception when **requestStorageAccess()** is called and the error object is undefined

Here is some examples of the relevant code:

``` html
<iframe  class="portal-navigation-frame" allowtransparency="true" style="position:absolute; top: -60px; right: -250px;display:none;"
                id="authFrame" sandbox="allow-scripts allow-storage-access-by-user-activation allow-same-origin allow-top-navigation allow-forms"

**Authentication Component**
``` javascript
const authorizeStorageAccess = async () => {
  if (document.hasStorageAccess) {
      if (await document.hasStorageAccess() == false) {
        console.log("authCommunicationService.authorizeStorageAccess", "does not have storage access");
        if (document.requestStorageAccess) {
          await document.requestStorageAccess();
        } else {
          console.log("authCommunicationService.authorizeStorageAccess", "requestStorageAccess not available");
      else {
        console.log("authCommunicationService.authorizeStorageAccess", "already has access");
    else {
      console.log("authCommunicationService.authorizeStorageAccess", "already has automatic 
    } catch (err) {
      console.log("authCommunicationService.authorizeStorageAccess", "error", err);

Note:  **authorizeStorageAccess()** is called from a button event handler and only after the user has been redirected to the authentication domain to login and returned.

Any assistance would be greatly appreciated.


You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220621/784f73b8/attachment.htm>

More information about the webkit-unassigned mailing list