237399 – [WebAuthn] Give Storage Access API whenever user accepts cross-origin Webauthn prompt

RESOLVED INVALID237399

[WebAuthn] Give Storage Access API whenever user accepts cross-origin Webauthn prompt

https://bugs.webkit.org/show_bug.cgi?id=237399

Summary [WebAuthn] Give Storage Access API whenever user accepts cross-origin Webauth...

pascoe@apple.com

Reported 2022-03-02 16:32:42 PST

This is needed for cross-origin authenticating i-frames to use cookies.

Attachments
Patch (9.44 KB, patch) 2022-03-17 23:02 PDT, pascoe@apple.com	no flags	Details Formatted Diff Diff
Patch for landing (9.45 KB, patch) 2022-03-18 11:53 PDT, pascoe@apple.com	ews-feeder: commit-queue-	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2022-03-02 16:34:07 PST

<rdar://problem/89719739>

John Wilander

Comment 2 2022-03-03 11:36:47 PST

It's important that anything that opens up storage access uses prompt language that makes cross-site tracking capabilities clear.

pascoe@apple.com

Comment 3 2022-03-17 23:02:23 PDT

Created attachment 455067 [details] Patch

Brent Fulgham

Comment 4 2022-03-18 09:37:37 PDT

Comment on attachment 455067 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=455067&action=review r=me > Source/WebKit/ChangeLog:10 > + assertion. On the apple port, the prompt required for cross-origin assertions includes Nit: 'Apple' port > Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp:62 > + crossOriginParent = document->securityOrigin().data(); Are these ever different when the 'isSameOriginAs' test passes? I wonder if this part of the change is needed.

pascoe@apple.com

Comment 5 2022-03-18 09:39:37 PDT

(In reply to Brent Fulgham from comment #4) > > Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp:62 > > + crossOriginParent = document->securityOrigin().data(); > > Are these ever different when the 'isSameOriginAs' test passes? I wonder if > this part of the change is needed. They are different here because the check above checks that isSameOriginAs doesn't pass. > if (!crossOriginParent && !origin.isSameOriginAs(document->securityOrigin())) Thank you for the review.

pascoe@apple.com

Comment 6 2022-03-18 11:53:23 PDT

Created attachment 455120 [details] Patch for landing

Brent Fulgham

Comment 7 2022-06-23 15:42:27 PDT

After further discussion, this will be handled a different way.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution INVALID

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKit Misc.

Assignee

pascoe@apple.com

Reported

2022-03-02 16:32 PST

Modified

2022-06-23 15:42 PDT History

CC List

3 users Show

URL

Keywords InRadar

Depends on

222240

Blocks

Dependencies

tree graph