188783 2018-08-21 04:36:25 -0700 Cookies not available when requestStorageAccess successfully resolves after "allow" in ITP prompt 2018-08-21 23:45:51 -0700 1 1 1 Unclassified WebKit New Bugs Safari Technology Preview Mac macOS 10.13 RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=188830 InRadar P2 Normal --- 1 ulf wilander achristensen commit-queue webkit-bug-importer wilander oldest_to_newest 1452028 0 ulf 2018-08-21 04:36:25 -0700 John Wilander asked me to file a bug here after a bit of discussion on twitter. Not sure if I'm misunderstanding/misusing the Storage Access API but here's my case. When the user answers "allow" on the ITP prompt the cookies are not available in the 3rd party context directly. Not in the requestStorageAccess success callback and not afterwards. If the iframe is __reloaded__ and requestStorageAccess called it's, as expected, automatically successfully resolved and I have access to cookies. Reproduction repo: https://github.com/uliedberg/itp2-test/tree/master/basic-basic-browser-set-cookies-only . I've also put up the main & third party parts on different domains for easier reproduction. The third party iframe page will call hasStorageAccess() on load. * > defaults write com.apple.SafariTechnologyPreview ResourceLoadStatisticsManualPrevalentResource liedberg.org * in Safari Technology Preview 63, clear history and then open: - https://www.alfhild.io/itp2/main/?thirdparty-url=https%3A%2F%2Fwww.liedberg.org%2Fitp2%2Fthirdparty%2F 1. Click "open popup" link (third party in main page) 2. Click "write cookie" link (popup page) 3. Click "close" link (popup page) 4. Click "request access" link (third party in main page) 5. Select "allow" in ITP prompt (main page) - at this point the third party iframe tries to read the cookie but no value 6. Click "read cookie" link (third party in main page) - no value still 7. Click "reload iframe" link (third party in main page) 8. Click "request access" link (third party in main page) - __now__ the cookies are available 1452075 1 wilander 2018-08-21 06:36:44 -0700 Thanks, Ulf! 1452076 2 webkit-bug-importer 2018-08-21 06:37:22 -0700 <rdar://problem/43559215> 1452321 3 347705 wilander 2018-08-21 14:56:48 -0700 Created attachment 347705 Patch 1452323 4 wilander 2018-08-21 15:01:33 -0700 I found the bug, and it's related to the other bug you reported about the prompt showing the full host names instead of eTLD+1s. The specific code path for the prompt sends the host names instead of the eTLD+1s which means storage access is granted for the host and not the eTLD+1. Then, when cookie resolution happens, there is no storage access entry for the eTLD+1 and thus no cookies. The second code path, i.e. without a prompt, correctly stores and entry for the eTLD+1 and resolution works. Again, thanks for the bug report, Ulf! 1452344 5 347705 wilander 2018-08-21 15:25:45 -0700 Comment on attachment 347705 Patch Thanks, Alex! 1452390 6 347705 commit-queue 2018-08-21 16:32:39 -0700 Comment on attachment 347705 Patch Clearing flags on attachment: 347705 Committed r235145: <https://trac.webkit.org/changeset/235145> 1452391 7 commit-queue 2018-08-21 16:32:41 -0700 All reviewed patches have been landed. Closing bug. 1452547 8 ulf 2018-08-21 23:45:51 -0700 Happy to help! 347705 2018-08-21 14:56:48 -0700 2018-08-21 16:32:39 -0700 Patch bug-188783-20180821145647.patch text/plain 2119 wilander U3VidmVyc2lvbiBSZXZpc2lvbjogMjM1MTQxCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IDcwNTA4ZDMxODdkYWEzYzdm NzAzZmMzOGMzOWFmNTU0ZTNmZDhmZTguLjNlYzRkN2VkM2EwOWEzMjc0NTQzZGEwZTA1NTkxNmMx N2EyODMwMDIgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTUgQEAKKzIwMTgtMDgtMjEgIEpvaG4gV2ls YW5kZXIgIDx3aWxhbmRlckBhcHBsZS5jb20+CisKKyAgICAgICAgU3RvcmFnZSBBY2Nlc3MgQVBJ OiBUaGUgY2FsbCB0byBSZXNvdXJjZUxvYWRTdGF0aXN0aWNzTWVtb3J5U3RvcmU6OmdyYW50U3Rv cmFnZUFjY2Vzc0ludGVybmFsKCkgc2hvdWxkIHNlbmQgZVRMRCsxcywgbm90IGZ1bGwgaG9zdCBu YW1lcworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTg4 NzgzCisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS80MzU1OTIxNT4KKworICAgICAgICBSZXZpZXdl ZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIFVJUHJvY2Vzcy9SZXNvdXJjZUxvYWRT dGF0aXN0aWNzTWVtb3J5U3RvcmUuY3BwOgorICAgICAgICAoV2ViS2l0OjpSZXNvdXJjZUxvYWRT dGF0aXN0aWNzTWVtb3J5U3RvcmU6OmdyYW50U3RvcmFnZUFjY2Vzcyk6CisgICAgICAgICAgICBO b3cgc2VuZHMgdGhlIGVUTEQrMSBmb3IgdGhlIHRvcCBmcmFtZSBhbmQgc3ViIGZyYW1lLgorCiAy MDE4LTA4LTIxICBBbGV4IENocmlzdGVuc2VuICA8YWNocmlzdGVuc2VuQHdlYmtpdC5vcmc+CiAK ICAgICAgICAgUmVtb3ZlIHVudXNlZCBzaG91bGRLZWVwQ3VycmVudEJhY2tGb3J3YXJkTGlzdEl0 ZW1Jbkxpc3QgY2hlY2sKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJLaXQvVUlQcm9jZXNzL1Jlc291 cmNlTG9hZFN0YXRpc3RpY3NNZW1vcnlTdG9yZS5jcHAgYi9Tb3VyY2UvV2ViS2l0L1VJUHJvY2Vz cy9SZXNvdXJjZUxvYWRTdGF0aXN0aWNzTWVtb3J5U3RvcmUuY3BwCmluZGV4IDY0ZjlkYjdlMzMy ZjdmYzVhZDNmN2UwZjExZTFlNzRlZWRhYzYxMjYuLjdmNDVjNzY5YTRhYzkwOWI2ODYyNDlmZWI3 YmI4YTUzYTZjZTc0NGEgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvVUlQcm9jZXNzL1Jlc291 cmNlTG9hZFN0YXRpc3RpY3NNZW1vcnlTdG9yZS5jcHAKKysrIGIvU291cmNlL1dlYktpdC9VSVBy b2Nlc3MvUmVzb3VyY2VMb2FkU3RhdGlzdGljc01lbW9yeVN0b3JlLmNwcApAQCAtNDc0LDcgKzQ3 NCw3IEBAIHZvaWQgUmVzb3VyY2VMb2FkU3RhdGlzdGljc01lbW9yeVN0b3JlOjpncmFudFN0b3Jh Z2VBY2Nlc3MoU3RyaW5nJiYgc3ViRnJhbWVIb3N0CiAgICAgICAgIEFTU0VSVChzdWJGcmFtZVN0 YXRpc3RpYy5oYWRVc2VySW50ZXJhY3Rpb24pOwogICAgICAgICBzdWJGcmFtZVN0YXRpc3RpYy5z dG9yYWdlQWNjZXNzVW5kZXJUb3BGcmFtZU9yaWdpbnMuYWRkKHRvcEZyYW1lUHJpbWFyeURvbWFp bik7CiAgICAgfQotICAgIGdyYW50U3RvcmFnZUFjY2Vzc0ludGVybmFsKFdURk1vdmUoc3ViRnJh bWVIb3N0KSwgV1RGTW92ZSh0b3BGcmFtZUhvc3QpLCBmcmFtZUlELCBwYWdlSUQsIHVzZXJXYXNQ cm9tcHRlZE5vdywgV1RGTW92ZShjb21wbGV0aW9uSGFuZGxlcikpOworICAgIGdyYW50U3RvcmFn ZUFjY2Vzc0ludGVybmFsKFdURk1vdmUoc3ViRnJhbWVQcmltYXJ5RG9tYWluKSwgV1RGTW92ZSh0 b3BGcmFtZVByaW1hcnlEb21haW4pLCBmcmFtZUlELCBwYWdlSUQsIHVzZXJXYXNQcm9tcHRlZE5v dywgV1RGTW92ZShjb21wbGV0aW9uSGFuZGxlcikpOwogfQogCiB2b2lkIFJlc291cmNlTG9hZFN0 YXRpc3RpY3NNZW1vcnlTdG9yZTo6Z3JhbnRTdG9yYWdlQWNjZXNzSW50ZXJuYWwoU3RyaW5nJiYg c3ViRnJhbWVQcmltYXJ5RG9tYWluLCBTdHJpbmcmJiB0b3BGcmFtZVByaW1hcnlEb21haW4sIHN0 ZDo6b3B0aW9uYWw8dWludDY0X3Q+IGZyYW1lSUQsIHVpbnQ2NF90IHBhZ2VJRCwgYm9vbCB1c2Vy V2FzUHJvbXB0ZWROb3dPckVhcmxpZXIsIENvbXBsZXRpb25IYW5kbGVyPHZvaWQoYm9vbCk+JiYg Y2FsbGJhY2spCg==