[Webkit-unassigned] [Bug 262775] New: opening popup from Web Crypto API promise in click handler should be considered user-initiated

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=262775

            Bug ID: 262775
           Summary: opening popup from Web Crypto API promise in click
                    handler should be considered user-initiated
           Product: WebKit
           Version: Safari 17
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: UI Events
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: tyr.asd at gmail.com

For example, when implementing the PKCE protocol for OAuth2, one wants to use the Web Crypto API to generate the hash for the code challenge (https://datatracker.ietf.org/doc/html/rfc7636#section-4.2). However, Safari does prevent to open a popup window using the generated SHA-256 hash from within the promise returned by the Web Crypto API.

Other browsers (e.g. Chrome, Firefox) do allow opening a popup from within the Web Crypto API promise as long as the initial click is user initiated.


Example to reproduce:

```
button.onclick = function() {
    const dummy_verifier = Uint8Array.of(1,2,3);
    window.crypto.subtle.digest('SHA-256', dummy_verifier).then(hash => {
        const dummy_challenge = btoa(hash);
        window.open(`https://example.com?challenge=${dummy_challenge}`);
    });
}
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231006/de6127c3/attachment.htm>