WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
241155
PopUpSOAuthorizationSession::initSecretWebView performs a shallow copy leading to manipulation of parent view configuration
https://bugs.webkit.org/show_bug.cgi?id=241155
Summary
PopUpSOAuthorizationSession::initSecretWebView performs a shallow copy leadin...
Brent Fulgham
Reported
2022-05-31 14:02:28 PDT
The AppSSO flows that create a new WKWebView pass through a method 'PopUpSOAuthorizationSession::initSecretWebView'. This conducts SSO flows in an invisible Window for cases where other UI handles the actual authentication, but a web view is needed to handle server interactions. It turns AppSSO off in this view so that normal server authentication can happen without AppSSO being triggered a second time. This method made the common mistake of believing that copying the configuration of the parent WKWebView gave a deep copy that could be manipulated to control the invisible view independently of the parent view. While the method correctly disabled AppSSO for the hidden view, it also deactivated it for the parent view. This bug could lead to cases where someone who mistakenly terminated an AppSSO flow would be unable to start the process a second time, as the view would now be configured to block access to AppSSO authentication. This bug corrects that bug.
Attachments
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2022-05-31 14:03:54 PDT
<
rdar://problem/94176551
>
Brent Fulgham
Comment 2
2022-05-31 14:10:26 PDT
Pull request:
https://github.com/Webkit/WebKit/pull/1190
EWS
Comment 3
2022-05-31 15:09:06 PDT
Committed
r295068
(
251163@main
): <
https://commits.webkit.org/251163@main
> Reviewed commits have been landed. Closing PR #1190 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug