With storage access granted, nested iframe is loaded without cookies
Categories
(Core :: Privacy: Anti-Tracking, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox127 | --- | fixed |
People
(Reporter: jsnajdr, Assigned: bvandersloot)
Details
Attachments
(1 file)
Steps to reproduce:
- Be logged in into a site like
wordpress.com
as first party, have first party cookies stored for the site. - Go to a different site like
example.blog
which embeds an iframe fromwordpress.com/embed
. - This iframe is loaded without cookies, because 3rd party cookies are blocked. That's expected.
- In the
wordpress.com/embed
iframe, request storage access withdocument.requestStorageAccess()
. It's granted. - Now, create a nested iframe in the
wordpress.com/embed
iframe, and load a same-origin document into it, likewordpress.com/helper
.
What I expected:
The wordpress.com/helper
iframe is loaded with the first-party cookies for wordpress.com
, because access to them has been explicitly granted.
What actually happened:
There are no cookies on the wordpress.com/helper
request. On the other hand, if I do exactly the same request using fetch('./helper')
, the first-party cookies are there. It's only the iframe request that omits them.
Chrome, in the same situation, would always send the wordpress.com
cookies. Both on same-origin nested iframe (wordpress.com/*
) and also on same-site nested iframe (public-api.wordpress.com/*
).
I'm using the latest Firefox Nightly 124.0a1 (2024-01-24) (64-bit)
Comment 1•5 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Privacy: Anti-Tracking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Assignee | ||
Comment 2•5 months ago
|
||
Hello, and thank you for the report!
When you are reproducing this on Chrome, are you testing with third-party cookies disabled?
Reporter | ||
Comment 3•5 months ago
|
||
Hi Benjamin! Yes, in Chrome I'm testing with the "Block third-party cookies" option ON. I need to call requestStorageAccess
in the embedded iframe in order to give it access to third-party cookies. Then both fetch
and iframe src
requests have the first-party cookies.
Assignee | ||
Comment 4•5 months ago
|
||
Ah, thank you! I will look into this- it does sound like a bug in our current implementation.
Assignee | ||
Updated•5 months ago
|
Assignee | ||
Comment 5•4 months ago
|
||
Updated•3 months ago
|
Assignee | ||
Comment 6•3 months ago
|
||
Following up- we follow the spec, but we are going to change the spec.
Reporter | ||
Comment 7•3 months ago
|
||
After some discussion on the GitHub issue (https://github.com/privacycg/storage-access/issues/197#issuecomment-1988228533) I was able to work around this issue by reloading the frame after detecting that it doesn't have storage access.
Also, the behavior I reported here is probably not a bug after all. Originally I was not aware that the document that issues the load request for the iframe src
URL is not the document that contains the iframe (and has storage access), but it's the contentDocument
of the embedded frame. And that one doesn't have storage access until it explicitly asks for it.
By the way, after solving this problem, I immediately hit another problem that I believe is a Firefox bug: partitioned cookies (set with the Partitioned
attribute) are not included in the document.cookie
string: bug 1884648.
Updated•3 months ago
|
Pushed by bvandersloot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b80c30fdafc6 Also allow a same-origin initiated iframe to get storage access from its parent - r=anti-tracking-reviewers,timhuang
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/45717 for changes under testing/web-platform/tests
Comment 10•2 months ago
|
||
bugherder |
Upstream PR merged by moz-wptsync-bot
Upstream PR merged by moz-wptsync-bot
Description
•