Bug 196318 - REGRESSION: [ITP 2.1] Storage access not granted to the original page after user interacts with the Google Sign-In popup
Summary: REGRESSION: [ITP 2.1] Storage access not granted to the original page after u...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: Safari Technology Preview
Hardware: Macintosh macOS 10.14
: P2 Major
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-03-27 14:46 PDT by Satoshi Ohno
Modified: 2019-03-27 16:16 PDT (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Satoshi Ohno 2019-03-27 14:46:37 PDT
We recently noticed an issue starting from STP 77 (and STP 78) where storage access isn't granted even when the popup is not auto-dismissed.

More specifically: document.hasStorageAccess() still returns false after the popup is closed with a user interaction.

This seems to be in conflict with the "Removed Compatibility Fix for Popups" section in the ITP 2.1 blog post (https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/), where the access would be granted if the popup is not auto-dismissed. Therefore I think this is a bug.

Here are the reproduce steps.

1. Make sure that the 3rd party domain is considered prevalent, in this case, google.com.
2. Open a website implementing Google Sign In. For example, let’s use soundcloud.com.
3. Click on the signin button up top. This would load the iframe under the accounts.google.com domain.
4. Open the console and change the scope to sslFrame_google (iframe). Run document.hasStorageAccess(). As expected this would resolve to false.
5. Click on “Continue with Google”. A popup under accounts.google.com will be opened. Interact with the popup by clicking on a signed in Google account or signing in a new one. The popup will then close.
6. On the opening browser, the page will not sign in the user and will appear as if nothing happened.
7. If you run document.hasStorageAccess() again under the sslFrame_google (iframe) scope, the promise would still resolve to false.

Please let me know if we could help to reproduce this issue!
Comment 1 Radar WebKit Bug Importer 2019-03-27 16:06:58 PDT
<rdar://problem/49357992>
Comment 2 John Wilander 2019-03-27 16:16:18 PDT
Thanks for reporting. We've heard a couple of other reports too so this definitely seems to be a bug.