Bug 219582

Summary: hasStorageAccess() should return false for embedded documents that have never set cookies in the first-party context
Product: WebKit Reporter: Steven Englehardt <senglehardt>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: bfulgham, katherine_cheney, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   

Description Steven Englehardt 2020-12-06 10:08:46 PST 
Tested in Safari Tech Preview v 14.1.

STR (on a clean profile):
1. Go to https://englehardt-tracker.com/index.html and interact with the page
2. Go to https://senglehardt.com/test/dfpi/storage_access_api.html.
3. In the third iframe from englehardt-tracker.com, click requestStorageAccess(). Click allow in the storage access prompt.
4. Click hasStorageAccess()

Expected result: hasStorageAccess() returns `false`. Though englehardt-tracker.com was previously visited as a first party (and received user interaction), it did not set cookies as a first party. Thus Safari will still prevent it from setting or retrieving cookies, even after the user has approved storage access via requestStorageAccess.

Actual result: hasStorageAccess() returns `true`, but the embedded frame is unable to set / retrieve cookies.

From a developer perspective it might actually make more sense to add the additional cookie restriction as another requirement for requestStorageAccess(). I.e., automatically deny requestStorageAccess if the requesting origin hasn't been visited, interacted with, and set a cookie as a first party. Alternatively you could consider unblocking cookies after a successful call to requestStorageAccess(), even if the embedded origin had never set a cookie in the first-party context.
Comment 1 Radar WebKit Bug Importer 2020-12-06 10:51:02 PST 
<rdar://problem/72024603>