Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SessionStorage partitioning #34

Closed
bvandersloot-mozilla opened this issue Jul 25, 2022 · 10 comments
Closed

SessionStorage partitioning #34

bvandersloot-mozilla opened this issue Jul 25, 2022 · 10 comments

Comments

@bvandersloot-mozilla
Copy link

bvandersloot-mozilla commented Jul 25, 2022
edited
Loading

I noticed that there is a behavior gap between WebKit and Gecko on partitioning SessionStorage. Is there a better option between the two we can align on here?

It may be useful to note that this came up while we were prototyping having Storage not un-partition with the Storage Access API. A major IDP uses SessionStorage and relies upon it not being partitioned in some use cases. That means that it is broken with the combination of always partitioned Storage and partitioned SessionStorage.
@miketaylr
Copy link

A major IDP uses SessionStorage and relies upon it not being partitioned in some use cases.

Do you have any links to bugs?

@bvandersloot-mozilla
Copy link
Author

A major IDP uses SessionStorage and relies upon it not being partitioned in some use cases.

Do you have any links to bugs?

Same issue, different bugtrackers:

@miketaylr
Copy link

Thanks - I suppose Chrome will run into that as well when we start to roll out partitioned storage.

@wanderview
Copy link

Just to make sure I understand correctly, it seems firebase signInWithRedirect is doing an authentication redirect, but instead of using query parameters to communicate tokens back to the originating site they are instead using a 3P iframe? Flows like OAUTH and OpenId use query params instead IIUC.

@bvandersloot-mozilla
Copy link
Author

Just to make sure I understand correctly, it seems firebase signInWithRedirect is doing an authentication redirect, but instead of using query parameters to communicate tokens back to the originating site they are instead using a 3P iframe? Flows like OAUTH and OpenId use query params instead IIUC.

Yes. Specifically they are using SessionStorage which is shared between an embedded iframe and a previous top-level context if not partitioned.

@bvandersloot-mozilla
Copy link
Author

@annevk : Do you have a stance on whether SessionStorage should be partitioned?

@wanderview
Copy link

My personal take is that we should partition it. As demonstrated by firebase it can be used as a communication channel. We're partitioning other non-persistent communication channels like BroadcastChannel, SharedWorker, etc, so it seems we should partition this one as well.

@johannhof
Copy link
Member

@johnwilander do you know if there's documentation (or a prior comment) outlining why WebKit doesn't partition SessionStorage? Would you consider aligning with other browsers in shipping partitioned SessionStorage?

@annevk
Copy link
Collaborator

annevk commented Sep 28, 2022

WebKit has addressed this issue some time ago: https://bugs.webkit.org/show_bug.cgi?id=210776. (As far as I can tell my colleagues agree it should be partitioned.)

@bvandersloot-mozilla
Copy link
Author

Ah, that is excellent news!

Interesting: I was going off of https://privacytests.org and it looked like Safari didn't partition. Looking at the PR linked in that bug, it landed on Aug 24. Now I look and it is fixed in the Nightly tab on privacytests.org! I'm happy to close this as resolved.

@miketaylr miketaylr mentioned this issue Mar 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@miketaylr @wanderview @annevk @johannhof @bvandersloot-mozilla