With storage access granted, nested iframe is loaded without cookies
Categories
(Core :: Privacy: Anti-Tracking, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox127 | --- | fixed |
People
(Reporter: jsnajdr, Assigned: bvandersloot)
Details
Attachments
(1 file)
Steps to reproduce:
- Be logged in into a site like
wordpress.comas first party, have first party cookies stored for the site. - Go to a different site like
example.blogwhich embeds an iframe fromwordpress.com/embed. - This iframe is loaded without cookies, because 3rd party cookies are blocked. That's expected.
- In the
wordpress.com/embediframe, request storage access withdocument.requestStorageAccess(). It's granted. - Now, create a nested iframe in the
wordpress.com/embediframe, and load a same-origin document into it, likewordpress.com/helper.
What I expected:
The wordpress.com/helper iframe is loaded with the first-party cookies for wordpress.com, because access to them has been explicitly granted.
What actually happened:
There are no cookies on the wordpress.com/helper request. On the other hand, if I do exactly the same request using fetch('./helper'), the first-party cookies are there. It's only the iframe request that omits them.
Chrome, in the same situation, would always send the wordpress.com cookies. Both on same-origin nested iframe (wordpress.com/*) and also on same-site nested iframe (public-api.wordpress.com/*).
I'm using the latest Firefox Nightly 124.0a1 (2024-01-24) (64-bit)
|
||
Comment 1•5 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Privacy: Anti-Tracking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
Assignee | |
Comment 2•5 months ago
|
||
Hello, and thank you for the report!
When you are reproducing this on Chrome, are you testing with third-party cookies disabled?
|
Reporter | |
Comment 3•5 months ago
|
||
Hi Benjamin! Yes, in Chrome I'm testing with the "Block third-party cookies" option ON. I need to call requestStorageAccess in the embedded iframe in order to give it access to third-party cookies. Then both fetch and iframe src requests have the first-party cookies.
|
|
Assignee | |
Comment 4•5 months ago
|
||
Ah, thank you! I will look into this- it does sound like a bug in our current implementation.
|
|
Assignee | |
Updated•5 months ago
|
|
|
Assignee | |
Comment 5•4 months ago
|
||
|
||
Updated•3 months ago
|
|
|
Assignee | |
Comment 6•3 months ago
|
||
Following up- we follow the spec, but we are going to change the spec.
|
|
Reporter | |
Comment 7•3 months ago
|
||
After some discussion on the GitHub issue (https://github.com/privacycg/storage-access/issues/197#issuecomment-1988228533) I was able to work around this issue by reloading the frame after detecting that it doesn't have storage access.
Also, the behavior I reported here is probably not a bug after all. Originally I was not aware that the document that issues the load request for the iframe src URL is not the document that contains the iframe (and has storage access), but it's the contentDocument of the embedded frame. And that one doesn't have storage access until it explicitly asks for it.
By the way, after solving this problem, I immediately hit another problem that I believe is a Firefox bug: partitioned cookies (set with the Partitioned attribute) are not included in the document.cookie string: bug 1884648.
|
||
Updated•3 months ago
|
Pushed by bvandersloot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b80c30fdafc6 Also allow a same-origin initiated iframe to get storage access from its parent - r=anti-tracking-reviewers,timhuang
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/45717 for changes under testing/web-platform/tests
|
||
Comment 10•2 months ago
|
||
| bugherder | ||
Upstream PR merged by moz-wptsync-bot
Upstream PR merged by moz-wptsync-bot
Description
•