libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Attempt to request storage access for cookies (#25055)

Browse source 
Closes #23872

Signed-off-by: Jon Koops <jonkoops@gmail.com>
This commit is contained in:
Jon Koops 2023-11-27 19:23:40 +01:00 committed by GitHub
parent a8fcd2147c
commit 0b9dd21b0a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 41 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
js/libs/keycloak-js/src/keycloak.js
View file

@ -201,7 +201,7 @@ function Keycloak (config) {
var ifrm = document.createElement("iframe"); var ifrm = document.createElement("iframe");
var src = kc.createLoginUrl({prompt: 'none', redirectUri: kc.silentCheckSsoRedirectUri}); var src = kc.createLoginUrl({prompt: 'none', redirectUri: kc.silentCheckSsoRedirectUri});
ifrm.setAttribute("src", src); ifrm.setAttribute("src", src);
ifrm.setAttribute("sandbox", "allow-scripts allow-same-origin"); ifrm.setAttribute("sandbox", "allow-storage-access-by-user-activation allow-scripts allow-same-origin");
ifrm.setAttribute("title", "keycloak-silent-check-sso"); ifrm.setAttribute("title", "keycloak-silent-check-sso");
ifrm.style.display = "none"; ifrm.style.display = "none";
document.body.appendChild(ifrm); document.body.appendChild(ifrm);
@ -1197,7 +1197,7 @@ function Keycloak (config) {
var src = kc.endpoints.checkSessionIframe(); var src = kc.endpoints.checkSessionIframe();
iframe.setAttribute('src', src ); iframe.setAttribute('src', src );
iframe.setAttribute('sandbox', 'allow-scripts allow-same-origin'); iframe.setAttribute('sandbox', 'allow-storage-access-by-user-activation allow-scripts allow-same-origin');
iframe.setAttribute('title', 'keycloak-session-iframe' ); iframe.setAttribute('title', 'keycloak-session-iframe' );
iframe.style.display = 'none'; iframe.style.display = 'none';
document.body.appendChild(iframe); document.body.appendChild(iframe);
@ -1270,7 +1270,7 @@ function Keycloak (config) {
if (loginIframe.enable || kc.silentCheckSsoRedirectUri) { if (loginIframe.enable || kc.silentCheckSsoRedirectUri) {
var iframe = document.createElement('iframe'); var iframe = document.createElement('iframe');
iframe.setAttribute('src', kc.endpoints.thirdPartyCookiesIframe()); iframe.setAttribute('src', kc.endpoints.thirdPartyCookiesIframe());
iframe.setAttribute('sandbox', 'allow-scripts allow-same-origin'); iframe.setAttribute('sandbox', 'allow-storage-access-by-user-activation allow-scripts allow-same-origin');
iframe.setAttribute('title', 'keycloak-3p-check-iframe' ); iframe.setAttribute('title', 'keycloak-3p-check-iframe' );
iframe.style.display = 'none'; iframe.style.display = 'none';
document.body.appendChild(iframe); document.body.appendChild(iframe);

20
services/src/main/resources/org/keycloak/protocol/oidc/endpoints/3p-cookies-step1.html
View file

@ -20,12 +20,30 @@
} }
} }
// See https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API/Using#checking_and_requesting_storage_access
async function hasStorageAccess() { async function hasStorageAccess() {
// Check if the Storage Access API is supported, if not, pretend we have access.
// This is for older browsers, where support can be determined using the test cookie.
if (!("hasStorageAccess" in document)) { if (!("hasStorageAccess" in document)) {
return true; return true;
} }
return document.hasStorageAccess(); // Check if we already have been granted storage access, if so, signal access.
if (await document.hasStorageAccess()) {
return true;
}
try {
// Attempt to request storage access without a user interaction.
// This might fail, and if it does an exception will be thrown.
await document.requestStorageAccess();
// If no exceptions are thrown, then signal access.
return true;
} catch (error) {
// If an exception is thrown, then signal no access.
return false;
}
} }
function attemptWithTestCookie() { function attemptWithTestCookie() {

20
services/src/main/resources/org/keycloak/protocol/oidc/endpoints/login-status-iframe.html
View file

@ -72,12 +72,30 @@
return "error"; return "error";
} }
// See https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API/Using#checking_and_requesting_storage_access
async function hasStorageAccess() { async function hasStorageAccess() {
// Check if the Storage Access API is supported, if not, pretend we have access.
// This is for older browsers, where support can be determined using the test cookie.
if (!("hasStorageAccess" in document)) { if (!("hasStorageAccess" in document)) {
return true; return true;
} }
return document.hasStorageAccess(); // Check if we already have been granted storage access, if so, signal access.
if (await document.hasStorageAccess()) {
return true;
}
try {
// Attempt to request storage access without a user interaction.
// This might fail, and if it does an exception will be thrown.
await document.requestStorageAccess();
// If no exceptions are thrown, then signal access.
return true;
} catch (error) {
// If an exception is thrown, then signal no access.
return false;
}
} }
function getSessionCookie() { function getSessionCookie() {