Bug 222398

Summary: Activating Reader View permanently sets window.PublicKeyCredential to undefined
Product: WebKit Reporter: matthew
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: achristensen, ap, beidson, cdumez, jiewen_tan, rmondello, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari 14   
Hardware: Mac (Intel)   
OS: macOS 11   
Attachments:
Description Flags
Video demonstrating the issue
none
Screenshot of `window.PublicKeyCredential` returning `undefined` after Reader View toggle none

matthew
Reported 2021-02-24 18:31:14 PST
Created attachment 421492 [details] Video demonstrating the issue I accidentally discovered today in Safari 14.0.3 that activating Reader View sets that tab's `window.PublicKeyCredential` to `undefined`. This permanently disables API's like WebAuthn in that tab, and the undefined value persists across page reloads. The webpage must be reloaded in a new tab to restore functionality. I've attached a video demonstrating the issue, as well as a screenshot showing `window.PublicKeyCredential` returning `undefined` after having toggled Reader View with the keyboard shortcut Cmd + Shift + R.
Attachments
Video demonstrating the issue (2.82 MB, video/quicktime)
2021-02-24 18:31 PST, matthew 		no flags
Details
Screenshot of `window.PublicKeyCredential` returning `undefined` after Reader View toggle (66.72 KB, image/png)
2021-02-24 18:32 PST, matthew 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
matthew
Comment 1 2021-02-24 18:32:14 PST
Created attachment 421493 [details] Screenshot of `window.PublicKeyCredential` returning `undefined` after Reader View toggle
Alexey Proskuryakov
Comment 2 2021-02-25 17:18:35 PST
I wonder if this is the only property affected!
matthew
Comment 3 2021-02-26 08:50:15 PST
I've come with a reproduction and instructions that reliably demonstrates the issue: https://codepen.io/IAmKale/pen/oNYEEPX I've also prepared this gist with the code above as a standalone HTML document if you wish to test this locally minus the added variance of CodePen's inner workings: https://gist.github.com/MasterKale/e1372606296aaee7883288218a6e616f
Chris Dumez
Comment 4 2021-02-26 09:12:50 PST
Would seem like a Safari bug not a WebKit one?
Radar WebKit Bug Importer
Comment 5 2021-02-26 09:13:00 PST
<rdar://problem/74792804>
matthew
Comment 6 2021-02-26 09:28:46 PST
I played around a bit and identified a few other things that become undefined after toggling Safari's Reader View: window.AuthenticatorAssertionResponse window.AuthenticatorAttestationResponse window.AuthenticatorResponse window.Credential window.CredentialsContainer window.PublicKeyCredential @Chris: I apologize if this wasn't the appropriate place to raise this issue, I didn't really know where else to post this to...that's on me for conflating the two projects.
Chris Dumez
Comment 7 2021-02-26 09:56:40 PST
(In reply to matthew from comment #6) > I played around a bit and identified a few other things that become > undefined after toggling Safari's Reader View: > > window.AuthenticatorAssertionResponse > window.AuthenticatorAttestationResponse > window.AuthenticatorResponse > window.Credential > window.CredentialsContainer > window.PublicKeyCredential > > @Chris: I apologize if this wasn't the appropriate place to raise this > issue, I didn't really know where else to post this to...that's on me for > conflating the two projects. In all fairness. I am not entirely sure if the bug is on WebKit side of Safari side. I would have thought the Safari side since reader mode is a Safari feature. That said, it is interesting that this is only impacting crypto/auth-related properties.
Chris Dumez
Comment 8 2021-02-26 10:05:36 PST
(In reply to Chris Dumez from comment #7) > (In reply to matthew from comment #6) > > I played around a bit and identified a few other things that become > > undefined after toggling Safari's Reader View: > > > > window.AuthenticatorAssertionResponse > > window.AuthenticatorAttestationResponse > > window.AuthenticatorResponse > > window.Credential > > window.CredentialsContainer > > window.PublicKeyCredential > > > > @Chris: I apologize if this wasn't the appropriate place to raise this > > issue, I didn't really know where else to post this to...that's on me for > > conflating the two projects. > > In all fairness. I am not entirely sure if the bug is on WebKit side of > Safari side. I would have thought the Safari side since reader mode is a > Safari feature. That said, it is interesting that this is only impacting > crypto/auth-related properties. This could be an issue with interfaces marked as [SecureContext] in the IDL. My bet is that it impacts window.Cache & window.MediaDevices too. If so, this is likely a WebKit bindings bug.
matthew
Comment 9 2021-02-26 10:09:57 PST
(In reply to Chris Dumez from comment #8) > This could be an issue with interfaces marked as [SecureContext] in the IDL. > My bet is that it impacts window.Cache & window.MediaDevices too. If so, > this is likely a WebKit bindings bug. Cache and MediaDevices were both in the list of properties on window (as returned by `Object.getOwnPropertyNames(window)`) that I checked to see were undefined, but they remained defined. That's not to say these properties weren't modified within as I didn't delve deeper than checking if they were defined or not.
Chris Dumez
Comment 10 2021-03-03 16:02:57 PST
I just went to: https://www.cnn.com/2021/03/03/politics/stimulus-check-eligibility-senate-bill/index.html 1. Opened WebInspector and checked that window.PublicKeyCredential returns a Function 2. Activated Reader Mode 3. Deactivated Reader mode 4. Opened WebInspector and checked that window.PublicKeyCredential still returns a Function There was no issue for me. Can you reproduce on this CNN article (ideally with Safari Technology Preview)? Or is the issue specific to the page you are testing somehow?
Chris Dumez
Comment 11 2021-03-03 16:09:11 PST
(In reply to Chris Dumez from comment #10) > I just went to: > https://www.cnn.com/2021/03/03/politics/stimulus-check-eligibility-senate- > bill/index.html > > 1. Opened WebInspector and checked that window.PublicKeyCredential returns a > Function > 2. Activated Reader Mode > 3. Deactivated Reader mode > 4. Opened WebInspector and checked that window.PublicKeyCredential still > returns a Function > > There was no issue for me. Can you reproduce on this CNN article (ideally > with Safari Technology Preview)? Or is the issue specific to the page you > are testing somehow? I have also just tried https://codepen.io/IAmKale/pen/oNYEEPX. I see: `window.PublicKeyCredential === undefined: false` before and after reader mode, also after reloading. I am on using Safari Technology Preview 121 so it is possible this has been fixed after Safari 14.0.3. Would you mind trying in Safari Technology Preview 121 to confirm if this has indeed been fixed or if I am just unable to reproduce the bug for some other reason? Thanks!
matthew
Comment 12 2021-03-03 16:46:18 PST
> I have also just tried https://codepen.io/IAmKale/pen/oNYEEPX. I see: > `window.PublicKeyCredential === undefined: false` > > before and after reader mode, also after reloading. I am on using Safari > Technology Preview 121 so it is possible this has been fixed after Safari > 14.0.3. > > Would you mind trying in Safari Technology Preview 121 to confirm if this > has indeed been fixed or if I am just unable to reproduce the bug for some > other reason? > > Thanks! I was unable to recreate the issue in Safari Technology Preview 121, so I suppose this will eventually stop being an issue whenever 121 hits Stable. That's good news :)
Chris Dumez
Comment 13 2021-03-03 16:48:42 PST
(In reply to matthew from comment #12) > > I have also just tried https://codepen.io/IAmKale/pen/oNYEEPX. I see: > > `window.PublicKeyCredential === undefined: false` > > > > before and after reader mode, also after reloading. I am on using Safari > > Technology Preview 121 so it is possible this has been fixed after Safari > > 14.0.3. > > > > Would you mind trying in Safari Technology Preview 121 to confirm if this > > has indeed been fixed or if I am just unable to reproduce the bug for some > > other reason? > > > > Thanks! > > I was unable to recreate the issue in Safari Technology Preview 121, so I > suppose this will eventually stop being an issue whenever 121 hits Stable. > That's good news :) Excellent news! Thanks for testing. Closing this as this appear this was fixed in development, we just need to wait a bit for the fix to ship.
Note You need to log in before you can comment on or make changes to this bug.