Bug 237399 - [WebAuthn] Give Storage Access API whenever user accepts cross-origin Webauthn prompt
Summary: [WebAuthn] Give Storage Access API whenever user accepts cross-origin Webauth...
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: pascoe@apple.com
URL:
Keywords: InRadar
Depends on: 222240
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-02 16:32 PST by pascoe@apple.com
Modified: 2022-06-23 15:42 PDT (History)
3 users (show)

See Also:


Attachments
Patch (9.44 KB, patch)
2022-03-17 23:02 PDT, pascoe@apple.com
no flags Details | Formatted Diff | Diff
Patch for landing (9.45 KB, patch)
2022-03-18 11:53 PDT, pascoe@apple.com
ews-feeder: commit-queue-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description pascoe@apple.com 2022-03-02 16:32:42 PST
This is needed for cross-origin authenticating i-frames to use cookies.
Comment 1 Radar WebKit Bug Importer 2022-03-02 16:34:07 PST
<rdar://problem/89719739>
Comment 2 John Wilander 2022-03-03 11:36:47 PST
It's important that anything that opens up storage access uses prompt language that makes cross-site tracking capabilities clear.
Comment 3 pascoe@apple.com 2022-03-17 23:02:23 PDT
Created attachment 455067 [details]
Patch
Comment 4 Brent Fulgham 2022-03-18 09:37:37 PDT
Comment on attachment 455067 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=455067&action=review

r=me

> Source/WebKit/ChangeLog:10
> +        assertion. On the apple port, the prompt required for cross-origin assertions includes

Nit: 'Apple' port

> Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp:62
> +            crossOriginParent = document->securityOrigin().data();

Are these ever different when the 'isSameOriginAs' test passes? I wonder if this part of the change is needed.
Comment 5 pascoe@apple.com 2022-03-18 09:39:37 PDT
(In reply to Brent Fulgham from comment #4)
> > Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp:62
> > +            crossOriginParent = document->securityOrigin().data();
> 
> Are these ever different when the 'isSameOriginAs' test passes? I wonder if
> this part of the change is needed.

They are different here because the check above checks that isSameOriginAs doesn't pass.

> if (!crossOriginParent && !origin.isSameOriginAs(document->securityOrigin()))

Thank you for the review.
Comment 6 pascoe@apple.com 2022-03-18 11:53:23 PDT
Created attachment 455120 [details]
Patch for landing
Comment 7 Brent Fulgham 2022-06-23 15:42:27 PDT
After further discussion, this will be handled a different way.