Summary: | [WebAuthn] Give Storage Access API whenever user accepts cross-origin Webauthn prompt | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | pascoe <pascoe> | ||||||
Component: | WebKit Misc. | Assignee: | pascoe <pascoe> | ||||||
Status: | RESOLVED INVALID | ||||||||
Severity: | Normal | CC: | bfulgham, webkit-bug-importer, wilander | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | WebKit Nightly Build | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Bug Depends on: | 222240 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
pascoe@apple.com
2022-03-02 16:32:42 PST
It's important that anything that opens up storage access uses prompt language that makes cross-site tracking capabilities clear. Created attachment 455067 [details]
Patch
Comment on attachment 455067 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=455067&action=review r=me > Source/WebKit/ChangeLog:10 > + assertion. On the apple port, the prompt required for cross-origin assertions includes Nit: 'Apple' port > Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp:62 > + crossOriginParent = document->securityOrigin().data(); Are these ever different when the 'isSameOriginAs' test passes? I wonder if this part of the change is needed. (In reply to Brent Fulgham from comment #4) > > Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp:62 > > + crossOriginParent = document->securityOrigin().data(); > > Are these ever different when the 'isSameOriginAs' test passes? I wonder if > this part of the change is needed. They are different here because the check above checks that isSameOriginAs doesn't pass. > if (!crossOriginParent && !origin.isSameOriginAs(document->securityOrigin())) Thank you for the review. Created attachment 455120 [details]
Patch for landing
After further discussion, this will be handled a different way. |