Re: [w3c/manifest] Make unbounded navigation scope less broad (#550)

@socceroos Noted. This is complex because it's partly a spec issue and partly a Safari issue. (We have seen similar reports on Safari iOS and I've been in contact with Apple about it.)

The spec issue is:

- Previously "unbounded scope" would allow navigations off-origin to proceed within the navigation context, but show some security UI. Now it is specced the way normal scope is: a navigation off-origin is supposed to open a new navigation context.
- This creates an issue for authentication flows where you are expected to navigate off site, then redirect back.
- We don't want to revert back, because the old behaviour only applied in the weird "unbounded scope" case. We want to fix it for all scopes.
- This is covered in the long issue thread #646.

The Safari issue is:

- While it respects the spec by creating a new navigation scope, it also isolates the cookies between the two navigation scopes.
- This means if your app redirects to a different scope, a new navigation context is created in the Safari browser (correct per current spec), you can sign in there (correct), and redirect back to the originating site but still within the Safari browser (bad but technically correct per current spec), but next time you go back to the app, your cookies will be missing (nothing in the spec says to isolate cookies).

So they could fix the above cookie isolation, but I do think we need to fix this case in the spec too. See #646.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/550#issuecomment-390873097

Received on Tuesday, 22 May 2018 06:04:19 UTC