NEW228856
Feature Request: Don't partition third party localStorage by subdomain 
https://bugs.webkit.org/show_bug.cgi?id=228856
Summary Feature Request: Don't partition third party localStorage by subdomain
Sarah
Reported 2021-08-05 20:15:57 PDT
Hi, I've run into an issue with WebKit deleting localStorage items set by a third party (hosted in an iFrame) when moving between two subdomains of a first party website. What is the benefit of partitioning between subdomains of the same first party? I saw this was intentional here (https://webkit.org/tracking-prevention), however when reading the definition of a first party here (https://webkit.org/tracking-prevention-policy) it clearly states that subdomains are party of the same first party, " In practice, we consider resources to belong to the same party if they are part of the same registrable domain: a public suffix plus one additional label. Example: site.example, www.site.example, and s.u.b.site.example are all the same party since site.example is their shared registrable domain. " Thank you, Sarah
Attachments
Add attachment proposed patch, testcase, etc.
Sam Sneddon [:gsnedders]
Comment 1 2021-08-06 10:34:50 PDT
> I've run into an issue with WebKit deleting localStorage items set by a third party (hosted in an iFrame) when moving between two subdomains of a first party website. What is the benefit of partitioning between subdomains of the same first party? i.e.: You have a page at http://example.com, with two iframes: http://a.example.net and http://b.example.net, and what's happening is those two iframes appear to have different storage domains? And this is all happening within a single session (c.f. bug 168631) and you're not running macOS 11.3/11.4 (which might hit bug 225344)?
Sarah
Comment 2 2021-08-06 11:42:26 PDT
(In reply to Sam Sneddon [:gsnedders] from comment #1) > > I've run into an issue with WebKit deleting localStorage items set by a third party (hosted in an iFrame) when moving between two subdomains of a first party website. What is the benefit of partitioning between subdomains of the same first party? > > i.e.: > > You have a page at http://example.com, with two iframes: > http://a.example.net and http://b.example.net, and what's happening is those > two iframes appear to have different storage domains? > > And this is all happening within a single session (c.f. bug 168631) and > you're not running macOS 11.3/11.4 (which might hit bug 225344)? Hi, sorry, let me be more specific! I have a feeling this is as designed which is why I made a feature request, but also I'm not an expert in this area so it may be a silly FR. I have two pages, http://a.example.com and http://b.example.com. They serve up basically the same single page application to users, with different information siloed to each subdomain. Not ideal, but this is what we do (this was the solution to merging two companies with two separate web teams). When the user crosses subdomains, we keep them logged in. So the user may switch back and forth from subdomain a and subdomain b several times in their session. We are implementing a third-party chat widget with a script tag that adds an iFrame to the page. This iFrame sets the chat session information in localStorage from the third-party's site (http://example.azureedge.net) The problem arise when users switch between our subdomains after starting a chat. The chat session information is removed, ending the conversation and closing the widget. This isn't something we see on Chrome. When doing research, I saw the Brave browser has something similar but I couldn't decipher if they partition localStorage from third-parties by each subdomain within a first-party or not. They just say they partition it by first-party. Thanks for your help! Sarah
Radar WebKit Bug Importer
Comment 3 2021-08-12 20:16:22 PDT
<rdar://problem/81881409>
Note You need to log in before you can comment on or make changes to this bug.