Bug 188564

Summary: Storage Access API: Maintain access through same-site navigations
Product: WebKit Reporter: Dima Voytenko <dvoytenko>
Component: FramesAssignee: John Wilander <wilander>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, bfulgham, cdumez, commit-queue, dbates, esprehn+autocc, ews-watchlist, japhet, kangil.han, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=198663
Attachments:
Description Flags
Patch
none
Patch none

Dima Voytenko
Reported 2018-08-14 11:01:52 PDT
An approved `document.requestStorageAccess` will include cookies in the subsequent XHR requests. However, in many cases, it'd be much easier to simply reload the iframe once the storage access has been approved. This seems to fit well within the intent of `requestStorageAccess` API. This especially helps cases that rely on server-side rendering.
Attachments
Patch (31.95 KB, patch)
2018-08-30 17:28 PDT, John Wilander 		no flags
DetailsFormatted DiffDiff
Patch (35.70 KB, patch)
2018-08-31 12:50 PDT, John Wilander 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2018-08-17 16:54:12 PDT
<rdar://problem/43445160>
John Wilander
Comment 2 2018-08-17 16:56:22 PDT
Thanks! We've received other requests on allowing persisted storage access on same-origin navigations of the iframe.
Dima Voytenko
Comment 3 2018-08-20 11:57:37 PDT
Thanks, John! Please notice that this wouldn't only be useful for a clean internal page state, but also security-specific headers such as CSP config.
Dima Voytenko
Comment 4 2018-08-20 12:03:53 PDT
RE: navigations: this would certainly be helpful. For this report, however, I intentionally narrowed the scope as much as possible in hopes that this would be more agreeable and possibly faster to implement.
John Wilander
Comment 5 2018-08-20 12:07:38 PDT
1(In reply to Dima Voytenko from comment #4) > RE: navigations: this would certainly be helpful. For this report, however, > I intentionally narrowed the scope as much as possible in hopes that this > would be more agreeable and possibly faster to implement. As stated, I'm talking about iframe navigations, not top frame navigations. Reloading the iframe is an iframe navigation.
Dima Voytenko
Comment 6 2018-08-20 12:14:02 PDT
> I'm talking about iframe navigations, not top frame navigations. I'm likewise talking about iframe navigation/reload. Not sure where confusion has come from. Are iframes in Safari not observing CSP headers?
John Wilander
Comment 7 2018-08-20 12:21:23 PDT
(In reply to Dima Voytenko from comment #6) > > I'm talking about iframe navigations, not top frame navigations. > > I'm likewise talking about iframe navigation/reload. Not sure where > confusion has come from. Are iframes in Safari not observing CSP headers? I'm commenting on "RE: navigations: this would certainly be helpful. For this report, however, I intentionally narrowed the scope as much as possible …" Your scope is for iframe reloads which are iframe navigations. I can see that a reload would preserve the whole URL and not just the origin, but the significant change request is whether same-origin iframe navigations should be allowed or not.
John Wilander
Comment 8 2018-08-30 14:47:16 PDT
New title to reflect the proposed change.
John Wilander
Comment 9 2018-08-30 17:28:40 PDT
Created attachment 348574 [details] Patch
John Wilander
Comment 10 2018-08-30 17:30:01 PDT
The style checker error about "Inline functions should not be in classes annotated with WEBCORE_EXPORT" is not applicable. The whole class is marked for export and has several inline functions, including the one I'm adding two parameters to.
EWS Watchlist
Comment 11 2018-08-30 17:33:59 PDT
Attachment 348574 [details] did not pass style-queue: ERROR: Source/WebCore/loader/FrameLoaderClient.h:169: Inline functions should not be in classes annotated with WEBCORE_EXPORT. Remove the macro from the class and apply it to each appropriate method, or move the inline function definition out-of-line. [build/webcore_export] [4] Total errors found: 1 in 15 files If any of these errors are false positives, please file a bug against check-webkit-style.
John Wilander
Comment 12 2018-08-31 11:56:06 PDT
I will add another correctness step to one of the test cases.
John Wilander
Comment 13 2018-08-31 12:50:45 PDT
Created attachment 348664 [details] Patch
EWS Watchlist
Comment 14 2018-08-31 12:51:54 PDT
Attachment 348664 [details] did not pass style-queue: ERROR: Source/WebCore/loader/FrameLoaderClient.h:169: Inline functions should not be in classes annotated with WEBCORE_EXPORT. Remove the macro from the class and apply it to each appropriate method, or move the inline function definition out-of-line. [build/webcore_export] [4] Total errors found: 1 in 16 files If any of these errors are false positives, please file a bug against check-webkit-style.
John Wilander
Comment 15 2018-08-31 13:43:22 PDT
Comment on attachment 348664 [details] Patch Thank you, Alex!
WebKit Commit Bot
Comment 16 2018-08-31 14:09:43 PDT
Comment on attachment 348664 [details] Patch Clearing flags on attachment: 348664 Committed r235569: <https://trac.webkit.org/changeset/235569>
WebKit Commit Bot
Comment 17 2018-08-31 14:09:45 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.