Bug 216922

Summary: ITP breaks login to bookmarklets
Product: WebKit Reporter: jena <cicas>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: katherine_cheney, mcatanzaro, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Safari 13   
Hardware: Unspecified   
OS: Unspecified   

Description jena 2020-09-24 04:04:19 PDT
This issue applies to both Safari 13 and the new Epiphany 3.38.0 (with WebKitGTK 2.30.1). It works fine with other browsers (even Firefox with strict tracking protection).

I use several bookmarklets (pieces of javascript, saved as bookmarks, that allow to manipulate the currently viewd website), that require login to a service. When I try to login to the service from the bookmarklet, it doesn't work because cookies don't go through.

One example bookmarklet is Diigolet [1] - it allows saving websites to my Diigo library, make annotations, higlight text, add sticky notes etc. (similar to Evernote). When I find a website that I want to save and annotate, I would open the bookmarklet from my bookmarks menu and login (usually I login just once). Login page opens in a new tab, and after successful login I would return to the page I want to save. However this fails in Safari and Epiphany with ITP enabled and the bookmarklet stays logged out.

Another bookmarklet experiencing this problem is Mendeley (a reference manager, which allows collection of scientific papers and citations through browser plugin/bookmarklet). This bookmarklet explicitly complains about 3rd-party cookies being blocked. I used to have this issue years ago in Chrome after I started blocking 3rd-party cookies, and I resolved it by whitelisting the domain of Mendeley.

However whitelisting of domains does not seem to be available in either Safari nor Epiphany. One of the maintainers of Epiphany mentioned that this would require work in Webkit itself [2]. Would it be possible to implement support for user-defined whitelist of domains that would be excluded from ITP?

Note that the javascript snippets in bookmarklets are not active at all times and are only invoked when the user specifically wishes to use their functionality (in my case saving to cloud service/personal library). Moreover, even login to services like Disqus does have similar issues (login page opens in a new tab, but the service seems loged out after returning to the original page with Disqus comment section).

[1] https://www.diigo.com/tools/diigolet
[2] https://blogs.gnome.org/mcatanzaro/2020/09/16/epiphany-3-38-and-webkitgtk-2-30/#comment-19098
Comment 1 John Wilander 2020-09-25 19:16:08 PDT
(In reply to jena from comment #0)
> This issue applies to both Safari 13 and the new Epiphany 3.38.0 (with
> WebKitGTK 2.30.1). It works fine with other browsers (even Firefox with
> strict tracking protection).
> 
> I use several bookmarklets (pieces of javascript, saved as bookmarks, that
> allow to manipulate the currently viewd website), that require login to a
> service. When I try to login to the service from the bookmarklet, it doesn't
> work because cookies don't go through.
> 
> One example bookmarklet is Diigolet [1] - it allows saving websites to my
> Diigo library, make annotations, higlight text, add sticky notes etc.
> (similar to Evernote). When I find a website that I want to save and
> annotate, I would open the bookmarklet from my bookmarks menu and login
> (usually I login just once). Login page opens in a new tab, and after
> successful login I would return to the page I want to save. However this
> fails in Safari and Epiphany with ITP enabled and the bookmarklet stays
> logged out.
> 
> Another bookmarklet experiencing this problem is Mendeley (a reference
> manager, which allows collection of scientific papers and citations through
> browser plugin/bookmarklet). This bookmarklet explicitly complains about
> 3rd-party cookies being blocked. I used to have this issue years ago in
> Chrome after I started blocking 3rd-party cookies, and I resolved it by
> whitelisting the domain of Mendeley.
> 
> However whitelisting of domains does not seem to be available in either
> Safari nor Epiphany. One of the maintainers of Epiphany mentioned that this
> would require work in Webkit itself [2]. Would it be possible to implement
> support for user-defined whitelist of domains that would be excluded from
> ITP?
> 
> Note that the javascript snippets in bookmarklets are not active at all
> times and are only invoked when the user specifically wishes to use their
> functionality (in my case saving to cloud service/personal library).
> Moreover, even login to services like Disqus does have similar issues (login
> page opens in a new tab, but the service seems loged out after returning to
> the original page with Disqus comment section).
> 
> [1] https://www.diigo.com/tools/diigolet
> [2]
> https://blogs.gnome.org/mcatanzaro/2020/09/16/epiphany-3-38-and-webkitgtk-2-
> 30/#comment-19098

Hi, and thanks for filing!

We use the term allow list for what you're describing.

The person you talked to is right in that there is no current support for exempting a specific domain from third-party cookie blocking globally. Instead, the third-party needs to call the Storage Access API and ask for the user's permission. Web extensions have some form of opt out but I do not think it's a per-domain thing.

We don't offer per-site or global exceptions since we believe it would drive websites to pressure users to opt out of privacy protections.

As for comparison with other browsers, Safari and the Tor Browser (and quite possibly Epiphany, based on your report) are the only browsers that block all third-party cookies by default. There is one browser I know of that blocks all third-party cookies *with a few exceptions*. The rest with some form of tracking prevention, including Firefox, *allow* all third-party cookies by default and then block based on a list.

The goal is to fully deprecate third-party cookies outside cases where the user opts in. I don't know what it would take technically to allow bookmarklets to get an exception, or if that's a good idea.
Comment 2 jena 2020-09-30 05:59:12 PDT
Thank you for your reply.

On the website of Safari [1] there is a picture under the headline "Defending your online privacy and security", which shows Safari asking about allowing 3rd-party cookies on a shown website (a travel blog with Facebook comment section).

I assume if one allows these cookies, they are placed on some list, under a domain. Or does it work differently? Could this list be used when logging to bookmarklets?

We are talking about a scenario where I can login to a service (Diigo, Mendeley, Facebook, Disqus, ...) on the service website and than be able to use the service on other websites (e.g. as a comment section form or a bookmarklet toolbar). I understand it allows for tracking, but this is why it should be given as a choice to the user of that particular service, as seen in the picture linked above. Blocking everything leads to disappointed users I'm affraid. And I do not see a fundamental technological difference between cookies from Facebook/Disqus comments on a blog and cookies from a bookmarklet. However there is a difference in threat - bookmarklets (saved locally in the browser btw) are invoked by user action, which is not the case for website elements like comment forms. In my view, they pose lower threat to user's privacy than other common parts of the modern web.

One more detail - when I use Diigolet in Firefox, the login doesn't open in new tab, but rather as a dialog tied to the same page. Could this be used as another/alternative solution in webkit?


[1] https://www.apple.com/safari/
Comment 3 jena 2020-09-30 06:05:33 PDT
PS: I couldn't link to the Safari picture directly, as it is some web element that I do not understand, but it's not a classic picture, but I made a screenshot and put it in my dropbox, in case the website changes:

https://www.dropbox.com/s/elsjajpt7hfiub5/Sn%C3%ADmek%20z%202020-09-30%2015-01-38.png?dl=0
Comment 4 Radar WebKit Bug Importer 2020-10-01 04:05:13 PDT
<rdar://problem/69831109>