[Webkit-unassigned] [Bug 247565] New: REGRESSION (Safari 16.1): SessionStorage set in iFrame window not accessible from top Window in same domain

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Nov 7 03:51:21 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=247565

            Bug ID: 247565
           Summary: REGRESSION (Safari 16.1): SessionStorage set in iFrame
                    window not accessible from top Window in same domain
           Product: WebKit
           Version: Safari 16
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Website Storage
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: roberto.carettoni at reti.it
                CC: sihui_liu at apple.com

Our application is hosted on subdomain.example.it.
Customers can login in our application directly from a login page hosted on our subdomain.example.it, but they mainly login from a login widget contained in an iFrame inside main corporate site hosted on the main domain example.it.

1) The login widget hosted in the iFrame contained in corporate site example.it calls login API that returns an authorization token, that is set in sessionStorage in the frame context on subdomain.example.it
(es: "sessionStorage.setItem("authToken", "xyz")").
2) Then, the login widget redirect the top window to subdomain.example.it 
(es: "window.top.location.replace(document.location.origin)", location.origin is subdomain.example.it in the frame context)
3) The client side application so reloads on top window context subdomain.example.it, and read the authorization token to call authenticated APIs from the sessionStorage previously set
(es: "sessionStorage.getItem("authToken")").

>From Safari 16.1 this doesn't work anymore, because at point 3) the sessionStorage is empty, despite it was set from the same domain and the application reloads on the same tab.

We confirm that this bug was introduced with Safari 16.1, it works fine in all Safari versions until 16.0.x.

This bug is present in Safari 16.1 for iOS (tested on differents iPhone devices) and Safari 16.1 for macOs (tested on macOS Monterey 12.6.1).

It works obiousvly an all other browsers.

Can you fix it?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221107/c24724b0/attachment.htm>

More information about the webkit-unassigned mailing list