COOP, sessionStorage and server-side redirection for SSO protocols #6821
Labels
topic: cross-origin-opener-policy
Issues and ideas around the new "inverse of rel=noopener" header
Comments
domenic
added
the
topic: cross-origin-opener-policy
|
This is considered a bug. COOP shouldn't break a session. @jakearchibald's work in #6315 will codify this. I suppose we could leave this open to verify it's written down accurately in the end. |
|
Yeah, happy to leave this open to verify |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
and others
Similar to the thread for #6356 #6356, what is the expected behaviour for navigations due to server-side redirections (e.g. HTTP 302 / 303) when COOP is enabled?
We are now observing that Firefox 89 clears the sessionStorage on such server-side redirections and this is breaking client applications using SSO protocols (e.g. OpenID Connect, OAuth2, SAML2, etc.) if they have stored state in sessionStorage prior to the authentication using the SSO provider located on a different origin.
I opened a bug at Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1718850
Edited:
On the contrary to what we first suspected, Firefox 89 clears the sessionStorage not because of the HTTP redirection to the SSO provider but because within the SSO provider, a redirection is made with location.href.
The text was updated successfully, but these errors were encountered: