[Webkit-unassigned] [Bug 241803] New: Safari throws exception when calling requestStorageAccess

Tue Jun 21 06:59:34 PDT 2022

https://bugs.webkit.org/show_bug.cgi?id=241803

            Bug ID: 241803
           Summary: Safari throws exception when calling
                    requestStorageAccess
           Product: WebKit
           Version: Safari 15
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jason.wilson at flashparking.com

I have to say Safari's (webkit) implementation of Intelligent Tracking Protection (ITP) and the Storage Access API has been challenging to get right.

Situation:
- We have a company that has grown through acquisition and we are trying to implement a unified authentication scheme that uses cross-domain access to tokens stored in cookies 
- Each portal implementing the scheme will have an iframe that hosts a component from an authentication domain and will use **postMessage()** to check for the existence of the necessary authentication token.
- The initial implementation worked for Chrome/Edge/Opera/other Chromium browsers, but needed to be adjusted to implement the Storage Access API to allow the authentication component to request 1st party storage access.
- This worked as documented in Firefox
- Safari throws an exception when **requestStorageAccess()** is called and the error object is undefined

Here is some examples of the relevant code:

**Iframe**
``` html
<iframe  class="portal-navigation-frame" allowtransparency="true" style="position:absolute; top: -60px; right: -250px;display:none;"
                id="authFrame" sandbox="allow-scripts allow-storage-access-by-user-activation allow-same-origin allow-top-navigation allow-forms"
                src="@Constants.AuthenticationUrl"></iframe>
```

**Authentication Component**
``` javascript
const authorizeStorageAccess = async () => {
  if (document.hasStorageAccess) {
    try{
      if (await document.hasStorageAccess() == false) {
        console.log("authCommunicationService.authorizeStorageAccess", "does not have storage access");
        if (document.requestStorageAccess) {
          await document.requestStorageAccess();
        } else {
          console.log("authCommunicationService.authorizeStorageAccess", "requestStorageAccess not available");
        }
      }
      else {
        console.log("authCommunicationService.authorizeStorageAccess", "already has access");
      }
    }
    else {
      console.log("authCommunicationService.authorizeStorageAccess", "already has automatic 
  access");
    } catch (err) {
      console.log("authCommunicationService.authorizeStorageAccess", "error", err);
    }
  }
};
```

Note:  **authorizeStorageAccess()** is called from a button event handler and only after the user has been redirected to the authentication domain to login and returned.

Any assistance would be greatly appreciated.

Jason

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220621/784f73b8/attachment.htm>