The AppSSO flows that create a new WKWebView pass through a method 'PopUpSOAuthorizationSession::initSecretWebView'. This conducts SSO flows in an invisible Window for cases where other UI handles the actual authentication, but a web view is needed to handle server interactions. It turns AppSSO off in this view so that normal server authentication can happen without AppSSO being triggered a second time. This method made the common mistake of believing that copying the configuration of the parent WKWebView gave a deep copy that could be manipulated to control the invisible view independently of the parent view. While the method correctly disabled AppSSO for the hidden view, it also deactivated it for the parent view. This bug could lead to cases where someone who mistakenly terminated an AppSSO flow would be unable to start the process a second time, as the view would now be configured to block access to AppSSO authentication. This bug corrects that bug.
<rdar://problem/94176551>
Pull request: https://github.com/Webkit/WebKit/pull/1190
Committed r295068 (251163@main): <https://commits.webkit.org/251163@main> Reviewed commits have been landed. Closing PR #1190 and removing active labels.