181850 – Cross-origin storage in "Add to home screen" apps always lost

Bug 181850 - Cross-origin storage in "Add to home screen" apps always lost

Summary: Cross-origin storage in "Add to home screen" apps always lost

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	Safari 11
Hardware:	iPhone / iPad iOS 11

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2018-01-19 06:10 PST by Ashley Gullen
Modified:	2022-06-21 08:49 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ashley Gullen 2018-01-19 06:10:43 PST

Web apps run from the home screen don't persist any storage which isn't on the main origin. This is related to issue 181849 and the repro here simply uses a cross-origin iframe of the other test. Demo:

1) Visit https://downloads.scirra.com/misc/bugs/iosframedstorage/
2) Add the page to the home screen
3) Close Safari
4) Open the home screen app
5) Enter the number 123 and press 'Save'
6) Close the home screen app
7) Open the home screen app
8) Press 'Load'

Expected result: text to change to "Loaded: 123"
Observed result: text changes to "Loaded: null"

Our PWA (editor.construct.net) uses a cross-origin, iframed login form for improved security. However due to this bug, saved login details are never remembered when running from the home screen. This means, combined with issue 181849, anyone who uses our PWA from the home screen can never have their login details saved; they must re-enter them every time they load the app.

Comment 1 Radar WebKit Bug Importer 2018-03-20 09:08:55 PDT

<rdar://problem/38665510>

Comment 2 Chris Dumez 2018-03-20 09:09:49 PDT

I was able to reproduce.

Comment 3 Radar WebKit Bug Importer 2018-03-20 09:10:04 PDT

<rdar://problem/38665567>

Comment 4 John Wilander 2018-03-20 11:22:08 PDT

Ashley, thanks for the report! I started looking at the iframe's JavaScript but it looks conditionalized. Could you explain which type of storage you are using? Multiple?

While I have your attention, which version of iOS are you seeing this on? Did it work on previous iOS versions?

Comment 5 John Wilander 2018-03-20 11:24:07 PDT

Using <rdar://problem/38665567> as the Radar master.

Comment 6 Ashley Gullen 2018-03-21 05:01:41 PDT

The repro uses localforage, a common storage library: https://github.com/localForage/localForage
I believe it will default to IndexedDB. You can also explicitly choose the "driver" (e.g. IndexedDB, WebSQL, localStorage etc) which might help for testing each API.

I just tested iOS 11.2.6 on an iPad Air 2 which reproduces the problem. AFAIK it has never worked.

Comment 7 John Wilander 2022-06-16 08:02:50 PDT

I realize I never asked you if the iframe is cross-site or if it’s same-site and just cross-origin.

Comment 8 Ashley Gullen 2022-06-21 08:49:34 PDT

Our production app is same-site: the top frame is editor.construct.net, and the login form is account.construct.net in an iframe. The repro was cross-origin, but given this issue is years old it looks like it's gone down now - it should be easy to repro though, just try a basic IndexedDB test in an iframe.

I'm not sure how Safari's storage restrictions have evolved over the years since this was filed, but it looks like this also affects Safari 15.5 on macOS. Our web app still can't remember anyone's logins even though the user interacts with the form and we call requestStorageAccess() in a user gesture.