[Webkit-unassigned] [Bug 254065] New: Cross-Origin-Embedder-Policy incorrectly blocks iframe on cache hit

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Mar 17 02:47:55 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=254065

            Bug ID: 254065
           Summary: Cross-Origin-Embedder-Policy incorrectly blocks iframe
                    on cache hit
           Product: WebKit
           Version: Safari 16
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sam.verschueren at gmail.com

The issue might be related to https://bugs.webkit.org/show_bug.cgi?id=245346. The issue is present on Safari 16, Safari TP, and Epiphany.

At StackBlitz, we are now looking into bringing WebContainers to Safari (https://blog.stackblitz.com/posts/introducing-webcontainers/). We're testing on the Safari Technology Preview as it should have all blocks in place to make it work, which is super exciting!

While testing, I ran into a bug where the `COEP` header on iframes coming from disk cache is not taken into account correctly. I made a git repository to demo what's going wrong https://github.com/SamVerschueren/webkit-coep-disk-cache.

Let me write it down here as well.


# Scenario:
We have a top-level document which defines `COEP: require-corp`, and wants to embed an iframe. The iframe specifies `CORP: cross-origin`.

This works because the iframe indicates the `CORP: cross-origin` header. For the demo in my repository, it could've been `same-origin` as well because they are hosted on the same domain, but in my real-world use case these are different domains.

The iframe is also served with `Cache-Control: public, max-age=3600` to make sure the browser caches the resource.


# Issue:
When starting the demo and opening the page, the iframe is correctly loaded and visible. Refreshing the page also works. However, when quitting the browser entirely with ⌘ Q, re-opening it and opening the web page again, breaks. The iframe will not be loaded. The error in DevTools looks like this

> Refused to display '' in a frame because of Cross-Origin-Embedder-Policy.
Refreshing the page with DevTools open sometimes fixes the issue. But it seems to only fix it if the `iframe.html` resources is loaded from `Memory Cache`. In the scenario where it's loaded from `Disk Cache`, it seems that the `CORP` header from the resource is not taken into account. This is probably the reason why the behaviour is different when quitting Safari entirely, because then the resource doesn't live in memory anymore.


If there's any additional information that you might need to look into this bug, please let me know!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230317/92862ed7/attachment.htm>

More information about the webkit-unassigned mailing list