Bug 237399

Summary: [WebAuthn] Give Storage Access API whenever user accepts cross-origin Webauthn prompt
Product: WebKit Reporter: pascoe <pascoe>
Component: WebKit Misc.Assignee: pascoe <pascoe>
Status: RESOLVED INVALID    
Severity: Normal CC: bfulgham, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 222240    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch for landing ews-feeder: commit-queue-

pascoe@apple.com
Reported 2022-03-02 16:32:42 PST
This is needed for cross-origin authenticating i-frames to use cookies.
Attachments
Patch (9.44 KB, patch)
2022-03-17 23:02 PDT, pascoe@apple.com 		no flags
DetailsFormatted DiffDiff
Patch for landing (9.45 KB, patch)
2022-03-18 11:53 PDT, pascoe@apple.com 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-03-02 16:34:07 PST
<rdar://problem/89719739>
John Wilander
Comment 2 2022-03-03 11:36:47 PST
It's important that anything that opens up storage access uses prompt language that makes cross-site tracking capabilities clear.
pascoe@apple.com
Comment 3 2022-03-17 23:02:23 PDT
Created attachment 455067 [details] Patch
Brent Fulgham
Comment 4 2022-03-18 09:37:37 PDT
Comment on attachment 455067 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=455067&action=review r=me > Source/WebKit/ChangeLog:10 > + assertion. On the apple port, the prompt required for cross-origin assertions includes Nit: 'Apple' port > Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp:62 > + crossOriginParent = document->securityOrigin().data(); Are these ever different when the 'isSameOriginAs' test passes? I wonder if this part of the change is needed.
pascoe@apple.com
Comment 5 2022-03-18 09:39:37 PDT
(In reply to Brent Fulgham from comment #4) > > Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp:62 > > + crossOriginParent = document->securityOrigin().data(); > > Are these ever different when the 'isSameOriginAs' test passes? I wonder if > this part of the change is needed. They are different here because the check above checks that isSameOriginAs doesn't pass. > if (!crossOriginParent && !origin.isSameOriginAs(document->securityOrigin())) Thank you for the review.
pascoe@apple.com
Comment 6 2022-03-18 11:53:23 PDT
Created attachment 455120 [details] Patch for landing
Brent Fulgham
Comment 7 2022-06-23 15:42:27 PDT
After further discussion, this will be handled a different way.
Note You need to log in before you can comment on or make changes to this bug.