RESOLVED FIXED 241155
PopUpSOAuthorizationSession::initSecretWebView performs a shallow copy leading to manipulation of parent view configuration
https://bugs.webkit.org/show_bug.cgi?id=241155
Summary PopUpSOAuthorizationSession::initSecretWebView performs a shallow copy leadin...
Brent Fulgham
Reported 2022-05-31 14:02:28 PDT
The AppSSO flows that create a new WKWebView pass through a method 'PopUpSOAuthorizationSession::initSecretWebView'. This conducts SSO flows in an invisible Window for cases where other UI handles the actual authentication, but a web view is needed to handle server interactions. It turns AppSSO off in this view so that normal server authentication can happen without AppSSO being triggered a second time. This method made the common mistake of believing that copying the configuration of the parent WKWebView gave a deep copy that could be manipulated to control the invisible view independently of the parent view. While the method correctly disabled AppSSO for the hidden view, it also deactivated it for the parent view. This bug could lead to cases where someone who mistakenly terminated an AppSSO flow would be unable to start the process a second time, as the view would now be configured to block access to AppSSO authentication. This bug corrects that bug.
Attachments
Radar WebKit Bug Importer
Comment 1 2022-05-31 14:03:54 PDT
Brent Fulgham
Comment 2 2022-05-31 14:10:26 PDT
EWS
Comment 3 2022-05-31 15:09:06 PDT
Committed r295068 (251163@main): <https://commits.webkit.org/251163@main> Reviewed commits have been landed. Closing PR #1190 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.