[Webkit-unassigned] [Bug 273193] New: Safari Intelligent Tracking Prevention is breaking same-site cross-subdomain sync for Transcend Consent Manager

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 24 08:23:29 PDT 2024


https://bugs.webkit.org/show_bug.cgi?id=273193

            Bug ID: 273193
           Summary: Safari Intelligent Tracking Prevention is breaking
                    same-site cross-subdomain sync for Transcend Consent
                    Manager
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Website Storage
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: bugmail at eligrey.com
                CC: sihui_liu at apple.com

Safari Intelligent Tracking Prevention is breaking same-site cross-subdomain sync for Transcend Consent Manager customers. Transcend Consent Manager uses same-site iframes and a postMessage protocol to sync consent cross-domain on a site. Transcend Consent Manager does not use cookies to sync consent, as this helps to avoid unnecessary leakage of user choices over the network.

When ITP is disabled, sync works fine such that subdomain1.example.com can sync consent through consent-sync.example.com and subdomain2.example.com can then resolve consent stored at consent-sync.example.com. When ITP is enabled, consent-sync-example.com gets a different storage partition for each subdomain that requests it, which is incorrect behavior.

To reproduce the issue:

- Open two tabs & attach devtools to each tab

1. verizon.com
2. activate.verizon.com

- in tab 1's devtools console, enter:
console.log(airgap.getConsent().purposes)
addEventListener('click', airgap.optOut, {once: true})

- click anywhere in the empty space for tab 1 to set full opt out consent

- in tab 2's devtools console, enter the following JavaScript:

await airgap.sync();
console.log(airgap.getConsent().purposes)

- The return value should be all false values (no `true` or `Auto` values), indicating that the opt out successfully synchronized cross-subdomain.

Other browsers including Firefox and Chrome are not exhibiting this incorrect partitioning behavior for Transcend and its customers.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240424/6722219d/attachment-0001.htm>


More information about the webkit-unassigned mailing list