[Webkit-unassigned] [Bug 273193] New: Safari Intelligent Tracking Prevention is breaking same-site cross-subdomain sync for Transcend Consent Manager
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 24 08:23:29 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=273193
Bug ID: 273193
Summary: Safari Intelligent Tracking Prevention is breaking
same-site cross-subdomain sync for Transcend Consent
Manager
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Website Storage
Assignee: webkit-unassigned at lists.webkit.org
Reporter: bugmail at eligrey.com
CC: sihui_liu at apple.com
Safari Intelligent Tracking Prevention is breaking same-site cross-subdomain sync for Transcend Consent Manager customers. Transcend Consent Manager uses same-site iframes and a postMessage protocol to sync consent cross-domain on a site. Transcend Consent Manager does not use cookies to sync consent, as this helps to avoid unnecessary leakage of user choices over the network.
When ITP is disabled, sync works fine such that subdomain1.example.com can sync consent through consent-sync.example.com and subdomain2.example.com can then resolve consent stored at consent-sync.example.com. When ITP is enabled, consent-sync-example.com gets a different storage partition for each subdomain that requests it, which is incorrect behavior.
To reproduce the issue:
- Open two tabs & attach devtools to each tab
1. verizon.com
2. activate.verizon.com
- in tab 1's devtools console, enter:
console.log(airgap.getConsent().purposes)
addEventListener('click', airgap.optOut, {once: true})
- click anywhere in the empty space for tab 1 to set full opt out consent
- in tab 2's devtools console, enter the following JavaScript:
await airgap.sync();
console.log(airgap.getConsent().purposes)
- The return value should be all false values (no `true` or `Auto` values), indicating that the opt out successfully synchronized cross-subdomain.
Other browsers including Firefox and Chrome are not exhibiting this incorrect partitioning behavior for Transcend and its customers.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240424/6722219d/attachment-0001.htm>
More information about the webkit-unassigned
mailing list