-
Notifications
You must be signed in to change notification settings - Fork 200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Empty login window on pages that use Cross-Origin-Opener-Policy: same-origin
#5769
Comments
Oh it started working now! Must've been a fluke |
This is actually a valid issue. I can reproduce in Safari. The problem is that the page sets a curl -I 'https://simonwillison.net/2023/Aug/27/wordcamp-llms/'
HTTP/2 200
date: Mon, 28 Aug 2023 16:31:05 GMT
content-type: text/html; charset=utf-8
x-content-type-options: nosniff
referrer-policy: same-origin
cross-origin-opener-policy: same-origin
via: 1.1 vegur
cf-cache-status: HIT
age: 2572
last-modified: Mon, 28 Aug 2023 15:48:13 GMT
accept-ranges: bytes
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NtE%2FsXX6eW%2BJYuODgLSAOxAtOqAqac92g8PSWfwXVAdlivrkcyXASodXhrTjhVTr3OmME0wOeRQVF42PvM83%2B42zMKcRBOPa%2BRr5Sfk91s1nZu1vjCivA0gDJ2xRfK7rmq5nPw%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 7fddf14cc9cf71b6-LHR
alt-svc: h3=":443"; ma=86400 There are more details in hypothesis/viahtml#353 (comment) and hypothesis/viahtml#333 (comment). At the time those comments were written we were waiting on new web standards to provide a solution for use cases like ours (sigh). Relevant bit on Hypothesis-specific workarounds:
The particular page you mentioned might change at some future point so that it no longer sets this header, but it is easy enough to create another URL that does set this header for testing. |
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Chrome are currently exploring a solution for this via The next step for us here is to explore whether we can leverage |
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
In the case of browser extensions, there is a built-in API for completing OAuth login flows -
This leaves the bookmarklet and sites that embed Hypothesis. For the bookmarklet, a possible solution would be to have the sidebar iframe request storage access via |
I've been looking closer into using alternative communication channels (eg.
Putting these together, a possible workflow for using
In order to make this work, every OAuth client that is not hosted on the h server itself will need to register a functional redirect URL, not merely a "placeholder" URL that provides an origin for use with For OAuth clients which are hosted on the same site as h, once we have storage access we could skip the whole popup flow if the user is already logged into the h website. |
Some new web standards proposals that are relevant:
|
Neither the bookmarklet or the Chrome extension works on https://simonwillison.net/2023/Aug/27/wordcamp-llms/ . Tested both Firefox and Chrome.
The UI appears, but it can't log in. Here are the errors in the console:
Upon clicking loading hypothesis:
Upon clicking Log in:
and the hypothesis UI displays "Error: Failed to open login window". The login window does open, but it's empty
The login window displays the following errors:
The text was updated successfully, but these errors were encountered: