Bug 205370
| Summary: | ER: There is no way for nested iframes to get storage access | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Brad <brad.girardeau> |
| Component: | WebCore JavaScript | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | bfulgham, mattcoz, webkit-bug-importer, wilander |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari 13 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Brad
Storage Access API denies all access to nested iframes (since https://bugs.webkit.org/show_bug.cgi?id=176939), but this results in a problem for legitimate integrations that use iframes to isolate third parties from each other for privacy and security, rather than including third party scripts in the first party context. There is no way I'm aware of to allow users to grant consent to a nested iframe for first party cookies.
There should be some way for these integrations to work after user consent -- currently this is breaking the Dropbox Google Docs integration (go to www.dropbox.com, then create a Google Doc inside Dropbox), even when users disable third party tracking protection.
The use case and comment is also described here: https://github.com/whatwg/html/issues/3338#issuecomment-516231497
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/58030067>
John Wilander
This is an enhancement request.
mattcoz
This is a breaking issue for my application. My content is being loaded in a third party context, and I can successfully request storage access, but my content loads additional content in a nested iframe that can't get storage access, even though it is at the same domain as the parent that requested storage access. If you want to continue blocking the storage access request from the nested iframe, storage access should propagate to nested iframes when they are at the same domain.
John Wilander
This has now been resolved in https://bugs.webkit.org/show_bug.cgi?id=216019. Sorry for the forward dupe.
*** This bug has been marked as a duplicate of bug 216019 ***
John Wilander
https://webkit.org/blog/11545/updates-to-the-storage-access-api/