NEW 181850
Cross-origin storage in "Add to home screen" apps always lost 
https://bugs.webkit.org/show_bug.cgi?id=181850
Summary Cross-origin storage in "Add to home screen" apps always lost
Ashley Gullen
Reported 2018-01-19 06:10:43 PST
Web apps run from the home screen don't persist any storage which isn't on the main origin. This is related to issue 181849 and the repro here simply uses a cross-origin iframe of the other test. Demo: 1) Visit https://downloads.scirra.com/misc/bugs/iosframedstorage/ 2) Add the page to the home screen 3) Close Safari 4) Open the home screen app 5) Enter the number 123 and press 'Save' 6) Close the home screen app 7) Open the home screen app 8) Press 'Load' Expected result: text to change to "Loaded: 123" Observed result: text changes to "Loaded: null" Our PWA (editor.construct.net) uses a cross-origin, iframed login form for improved security. However due to this bug, saved login details are never remembered when running from the home screen. This means, combined with issue 181849, anyone who uses our PWA from the home screen can never have their login details saved; they must re-enter them every time they load the app.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2018-03-20 09:08:55 PDT
<rdar://problem/38665510>
Chris Dumez
Comment 2 2018-03-20 09:09:49 PDT
I was able to reproduce.
Radar WebKit Bug Importer
Comment 3 2018-03-20 09:10:04 PDT
<rdar://problem/38665567>
John Wilander
Comment 4 2018-03-20 11:22:08 PDT
Ashley, thanks for the report! I started looking at the iframe's JavaScript but it looks conditionalized. Could you explain which type of storage you are using? Multiple? While I have your attention, which version of iOS are you seeing this on? Did it work on previous iOS versions?
John Wilander
Comment 5 2018-03-20 11:24:07 PDT
Using <rdar://problem/38665567> as the Radar master.
Ashley Gullen
Comment 6 2018-03-21 05:01:41 PDT
The repro uses localforage, a common storage library: https://github.com/localForage/localForage I believe it will default to IndexedDB. You can also explicitly choose the "driver" (e.g. IndexedDB, WebSQL, localStorage etc) which might help for testing each API. I just tested iOS 11.2.6 on an iPad Air 2 which reproduces the problem. AFAIK it has never worked.
John Wilander
Comment 7 2022-06-16 08:02:50 PDT
I realize I never asked you if the iframe is cross-site or if it’s same-site and just cross-origin.
Ashley Gullen
Comment 8 2022-06-21 08:49:34 PDT
Our production app is same-site: the top frame is editor.construct.net, and the login form is account.construct.net in an iframe. The repro was cross-origin, but given this issue is years old it looks like it's gone down now - it should be easy to repro though, just try a basic IndexedDB test in an iframe. I'm not sure how Safari's storage restrictions have evolved over the years since this was filed, but it looks like this also affects Safari 15.5 on macOS. Our web app still can't remember anyone's logins even though the user interacts with the form and we call requestStorageAccess() in a user gesture.
Note You need to log in before you can comment on or make changes to this bug.