[Webkit-unassigned] [Bug 241155] New: PopUpSOAuthorizationSession::initSecretWebView performs a shallow copy leading to manipulation of parent view configuration

Tue May 31 14:02:28 PDT 2022

https://bugs.webkit.org/show_bug.cgi?id=241155

            Bug ID: 241155
           Summary: PopUpSOAuthorizationSession::initSecretWebView
                    performs a shallow copy leading to manipulation of
                    parent view configuration
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: bfulgham at webkit.org

The AppSSO flows that create a new WKWebView pass through a method 'PopUpSOAuthorizationSession::initSecretWebView'. This conducts SSO flows in an invisible Window for cases where other UI handles the actual authentication, but a web view is needed to handle server interactions. It turns AppSSO off in this view so that normal server authentication can happen without AppSSO being triggered a second time.

This method made the common mistake of believing that copying the configuration of the parent WKWebView gave a deep copy that could be manipulated to control the invisible view independently of the parent view. While the method correctly disabled AppSSO for the hidden view, it also deactivated it for the parent view.

This bug could lead to cases where someone who mistakenly terminated an AppSSO flow would be unable to start the process a second time, as the view would now be configured to block access to AppSSO authentication.

This bug corrects that bug.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220531/b4af1f77/attachment-0001.htm>