[Webkit-unassigned] [Bug 264263] New: [GTK] libwebkit2gtk broke SAML auth on Linux

Mon Nov 6 09:04:11 PST 2023

https://bugs.webkit.org/show_bug.cgi?id=264263

            Bug ID: 264263
           Summary: [GTK] libwebkit2gtk broke SAML auth on Linux
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Keywords: Gtk
          Severity: Major
          Priority: P3
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: seanmi at cisco.com
                CC: bugs-noreply at webkitgtk.org

After upgrading to version 2.4.1 of libwebkit2gtk we see some embedded browser failures. At first, this seemed to be an IDP issue but we're getting reports of many IDPs(Duo, Okta) with the same errors. During testing, we see that the user attempts to log in via SAML to an IDP and the site just refreshes and nothing happens. In the console logs we see this being logged:

[Warning] [blocked] The page at
[IDP LOGIN URL...] <IDP LOGIN URL...>
was not allowed to display insecure content from
blob:https://cisco.login.duosecurity.com/5d947f3c-4c16-4067-867d-72149959feb1.
(login.js, line 2)

Downgrading seems to fix this issue. Were there any changes to these policies that we can handle differently? 

Please let me know if there is any further information I can add or reproduction steps you need.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231106/187d0235/attachment.htm>