Bug 222398

Summary:

Activating Reader View permanently sets window.PublicKeyCredential to undefined

Product:

WebKit

Reporter:

Matthew Miller (Cisco) <matthew>

Component:

WebKit Misc.

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED CONFIGURATION CHANGED

Severity:

Normal

CC:

achristensen, ap, beidson, cdumez, jiewen_tan, rmondello, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

Safari 14

Hardware:

Mac (Intel)

OS:

macOS 11

Attachments:

Description	Flags
Video demonstrating the issue	none
Screenshot of `window.PublicKeyCredential` returning `undefined` after Reader View toggle	none

Matthew Miller (Cisco)

Reported 2021-02-24 18:31:14 PST

Created attachment 421492 [details] Video demonstrating the issue I accidentally discovered today in Safari 14.0.3 that activating Reader View sets that tab's `window.PublicKeyCredential` to `undefined`. This permanently disables API's like WebAuthn in that tab, and the undefined value persists across page reloads. The webpage must be reloaded in a new tab to restore functionality. I've attached a video demonstrating the issue, as well as a screenshot showing `window.PublicKeyCredential` returning `undefined` after having toggled Reader View with the keyboard shortcut Cmd + Shift + R.

Attachments
Video demonstrating the issue (2.82 MB, video/quicktime) 2021-02-24 18:31 PST, Matthew Miller (Cisco)	no flags	Details
Screenshot of `window.PublicKeyCredential` returning `undefined` after Reader View toggle (66.72 KB, image/png) 2021-02-24 18:32 PST, Matthew Miller (Cisco)	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Matthew Miller (Cisco)

Comment 1 2021-02-24 18:32:14 PST

Created attachment 421493 [details] Screenshot of `window.PublicKeyCredential` returning `undefined` after Reader View toggle

Alexey Proskuryakov

Comment 2 2021-02-25 17:18:35 PST

I wonder if this is the only property affected!

Matthew Miller (Cisco)

Comment 3 2021-02-26 08:50:15 PST

I've come with a reproduction and instructions that reliably demonstrates the issue: https://codepen.io/IAmKale/pen/oNYEEPX I've also prepared this gist with the code above as a standalone HTML document if you wish to test this locally minus the added variance of CodePen's inner workings: https://gist.github.com/MasterKale/e1372606296aaee7883288218a6e616f

Chris Dumez

Comment 4 2021-02-26 09:12:50 PST

Would seem like a Safari bug not a WebKit one?

Radar WebKit Bug Importer

Comment 5 2021-02-26 09:13:00 PST

<rdar://problem/74792804>

Matthew Miller (Cisco)

Comment 6 2021-02-26 09:28:46 PST

I played around a bit and identified a few other things that become undefined after toggling Safari's Reader View: window.AuthenticatorAssertionResponse window.AuthenticatorAttestationResponse window.AuthenticatorResponse window.Credential window.CredentialsContainer window.PublicKeyCredential @Chris: I apologize if this wasn't the appropriate place to raise this issue, I didn't really know where else to post this to...that's on me for conflating the two projects.

Chris Dumez

Comment 7 2021-02-26 09:56:40 PST

(In reply to matthew from comment #6) > I played around a bit and identified a few other things that become > undefined after toggling Safari's Reader View: > > window.AuthenticatorAssertionResponse > window.AuthenticatorAttestationResponse > window.AuthenticatorResponse > window.Credential > window.CredentialsContainer > window.PublicKeyCredential > > @Chris: I apologize if this wasn't the appropriate place to raise this > issue, I didn't really know where else to post this to...that's on me for > conflating the two projects. In all fairness. I am not entirely sure if the bug is on WebKit side of Safari side. I would have thought the Safari side since reader mode is a Safari feature. That said, it is interesting that this is only impacting crypto/auth-related properties.

Chris Dumez

Comment 8 2021-02-26 10:05:36 PST

(In reply to Chris Dumez from comment #7) > (In reply to matthew from comment #6) > > I played around a bit and identified a few other things that become > > undefined after toggling Safari's Reader View: > > > > window.AuthenticatorAssertionResponse > > window.AuthenticatorAttestationResponse > > window.AuthenticatorResponse > > window.Credential > > window.CredentialsContainer > > window.PublicKeyCredential > > > > @Chris: I apologize if this wasn't the appropriate place to raise this > > issue, I didn't really know where else to post this to...that's on me for > > conflating the two projects. > > In all fairness. I am not entirely sure if the bug is on WebKit side of > Safari side. I would have thought the Safari side since reader mode is a > Safari feature. That said, it is interesting that this is only impacting > crypto/auth-related properties. This could be an issue with interfaces marked as [SecureContext] in the IDL. My bet is that it impacts window.Cache & window.MediaDevices too. If so, this is likely a WebKit bindings bug.

Matthew Miller (Cisco)

Comment 9 2021-02-26 10:09:57 PST

(In reply to Chris Dumez from comment #8) > This could be an issue with interfaces marked as [SecureContext] in the IDL. > My bet is that it impacts window.Cache & window.MediaDevices too. If so, > this is likely a WebKit bindings bug. Cache and MediaDevices were both in the list of properties on window (as returned by `Object.getOwnPropertyNames(window)`) that I checked to see were undefined, but they remained defined. That's not to say these properties weren't modified within as I didn't delve deeper than checking if they were defined or not.

Chris Dumez

Comment 10 2021-03-03 16:02:57 PST

I just went to: https://www.cnn.com/2021/03/03/politics/stimulus-check-eligibility-senate-bill/index.html 1. Opened WebInspector and checked that window.PublicKeyCredential returns a Function 2. Activated Reader Mode 3. Deactivated Reader mode 4. Opened WebInspector and checked that window.PublicKeyCredential still returns a Function There was no issue for me. Can you reproduce on this CNN article (ideally with Safari Technology Preview)? Or is the issue specific to the page you are testing somehow?

Chris Dumez

Comment 11 2021-03-03 16:09:11 PST

(In reply to Chris Dumez from comment #10) > I just went to: > https://www.cnn.com/2021/03/03/politics/stimulus-check-eligibility-senate- > bill/index.html > > 1. Opened WebInspector and checked that window.PublicKeyCredential returns a > Function > 2. Activated Reader Mode > 3. Deactivated Reader mode > 4. Opened WebInspector and checked that window.PublicKeyCredential still > returns a Function > > There was no issue for me. Can you reproduce on this CNN article (ideally > with Safari Technology Preview)? Or is the issue specific to the page you > are testing somehow? I have also just tried https://codepen.io/IAmKale/pen/oNYEEPX. I see: `window.PublicKeyCredential === undefined: false` before and after reader mode, also after reloading. I am on using Safari Technology Preview 121 so it is possible this has been fixed after Safari 14.0.3. Would you mind trying in Safari Technology Preview 121 to confirm if this has indeed been fixed or if I am just unable to reproduce the bug for some other reason? Thanks!

Matthew Miller (Cisco)

Comment 12 2021-03-03 16:46:18 PST

> I have also just tried https://codepen.io/IAmKale/pen/oNYEEPX. I see: > `window.PublicKeyCredential === undefined: false` > > before and after reader mode, also after reloading. I am on using Safari > Technology Preview 121 so it is possible this has been fixed after Safari > 14.0.3. > > Would you mind trying in Safari Technology Preview 121 to confirm if this > has indeed been fixed or if I am just unable to reproduce the bug for some > other reason? > > Thanks! I was unable to recreate the issue in Safari Technology Preview 121, so I suppose this will eventually stop being an issue whenever 121 hits Stable. That's good news :)

Chris Dumez

Comment 13 2021-03-03 16:48:42 PST

(In reply to matthew from comment #12) > > I have also just tried https://codepen.io/IAmKale/pen/oNYEEPX. I see: > > `window.PublicKeyCredential === undefined: false` > > > > before and after reader mode, also after reloading. I am on using Safari > > Technology Preview 121 so it is possible this has been fixed after Safari > > 14.0.3. > > > > Would you mind trying in Safari Technology Preview 121 to confirm if this > > has indeed been fixed or if I am just unable to reproduce the bug for some > > other reason? > > > > Thanks! > > I was unable to recreate the issue in Safari Technology Preview 121, so I > suppose this will eventually stop being an issue whenever 121 hits Stable. > That's good news :) Excellent news! Thanks for testing. Closing this as this appear this was fixed in development, we just need to wait a bit for the fix to ship.

Note You need to log in before you can comment on or make changes to this bug.