google-signin icon indicating copy to clipboard operation
google-signin copied to clipboard

Published 20 hours ago verified publisher icon GoogleWebComponents

Disabling third party cookies causes silent failure

Open svachalek opened this issue 9 years ago • 6 comments

This is possibly/probably an issue with the underlying API but if third party cookies are disabled (Chrome Settings -> Privacy -> Content Settings -> Cookies -> Block third-party cookies and site data) the sign-in button will open and close the login window and a message will appear in the console stating that access to sessionStorage has been blocked.

A workaround is possible by adding "accounts.google.com" to the exception list but at the moment there's no way (as far as I can tell) to even know this failure happened. If the problem can't be prevented it would be at least nice to have some way to know it happened (or better, will happen).

svachalek avatar Jun 10 '15 22:06 svachalek

Good one. It looks like we can't detect the failure, and oauth2 library gives no indication of failure. Looks like there is an exception they could trap:

Uncaught SecurityError: Failed to read the 'sessionStorage' property from 'Window': Access is denied for this document.

@ebidel anyone on oauth2 team we could bug about this?

atotic avatar Jun 11 '15 00:06 atotic

Hello anyone working about this?

posix4e avatar Mar 18 '17 18:03 posix4e

@posix4e I don't think anyone is, unfortunately...

As @atotic said, I guess that the component could catch the error. But then, how should it react? Do you think of any alternative way the component could login the user, for instance?

adrienjoly avatar Mar 19 '17 10:03 adrienjoly

Maybe @sbeleidy (creator of login-fire) has an idea?

adrienjoly avatar Mar 19 '17 10:03 adrienjoly

@adrienjoly not sure really - you can check if cookies are enabled using navigator.cookieEnabled and handle that outside of the component. But I think that will apply to the site using the component not accounts.google.com so you'd still get issues if one and not the other are whitelisted. Not sure how to check if cookies are enabled for a specific domain.

sbeleidy avatar Mar 19 '17 20:03 sbeleidy

A lot of time has passed and I'm not even working on the project that was using this button anymore, but just to clarify the discussion: the problem is not that I wanted the button to react to the failure as @adrienjoly is suggesting, just to pass it on. I would have been fine catching an event and having the app just announce to the user that login was failing and maybe they should check their cookie settings. But there's no event to catch (afaik) and thus the app is blind to the fact that the user is mashing the button to no effect, which looks bad.

I just tried it again to refresh my memory and it looks like there's a promise failure being caught in wc-entry.js and being logged to the console, which as far as I can remember is more than it used to do but still doesn't help the end user much.

I ended up detecting the error indirectly Clippy-style, i.e. "It's taking you a long time to log in, perhaps you want to add this exclusion to your cookie settings?"

svachalek avatar Mar 20 '17 20:03 svachalek