205370 – ER: There is no way for nested iframes to get storage access

RESOLVED DUPLICATE of bug 216019205370

ER: There is no way for nested iframes to get storage access

https://bugs.webkit.org/show_bug.cgi?id=205370

Summary ER: There is no way for nested iframes to get storage access

Brad

Reported 2019-12-17 18:05:40 PST

Storage Access API denies all access to nested iframes (since https://bugs.webkit.org/show_bug.cgi?id=176939), but this results in a problem for legitimate integrations that use iframes to isolate third parties from each other for privacy and security, rather than including third party scripts in the first party context. There is no way I'm aware of to allow users to grant consent to a nested iframe for first party cookies. There should be some way for these integrations to work after user consent -- currently this is breaking the Dropbox Google Docs integration (go to www.dropbox.com, then create a Google Doc inside Dropbox), even when users disable third party tracking protection. The use case and comment is also described here: https://github.com/whatwg/html/issues/3338#issuecomment-516231497

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2019-12-17 19:10:20 PST

<rdar://problem/58030067>

John Wilander

Comment 2 2019-12-19 14:09:06 PST

This is an enhancement request.

mattcoz

Comment 3 2020-04-05 14:28:23 PDT

This is a breaking issue for my application. My content is being loaded in a third party context, and I can successfully request storage access, but my content loads additional content in a nested iframe that can't get storage access, even though it is at the same domain as the parent that requested storage access. If you want to continue blocking the storage access request from the nested iframe, storage access should propagate to nested iframes when they are at the same domain.

John Wilander

Comment 4 2020-09-02 13:00:08 PDT

This has now been resolved in https://bugs.webkit.org/show_bug.cgi?id=216019. Sorry for the forward dupe. *** This bug has been marked as a duplicate of bug 216019 ***

John Wilander

Comment 5 2021-02-10 11:03:01 PST

https://webkit.org/blog/11545/updates-to-the-storage-access-api/

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 216019

Priority P2

Severity Normal

Classification Unclassified

Version Safari 13

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebCore JavaScript

Assignee

Nobody

Reported

2019-12-17 18:05 PST

Modified

2021-02-10 11:03 PST History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks