In [1] a user discovered that Google Inbox is broken in Epiphany only
when used as a web app. The problem is that when creating a web app, we
copy all cookies for the web app's domain into the web app profile dir,
but no other cookies. Turns out Inbox depends on third-party cookies
(actually cookies from a different google domain) and breaks if Inbox
cookies are present without those other cookies. It uses frames, which
must be why our normal cookie policy (block third party cookies by
default) doesn't break Inbox.

Possible fixes:

 * Copy no cookies. User needs to log in again the first time the web
app is opened. One time cost. I'm leaning toward this right now, but it
seems a shame to remove this feature to work around a Google bug.
 * Copy all cookies. Almost all the cookies saved in the web app's
profile directory will then be unnecessary, and it will be impossible
to ever clear them.
 * Copy cookies only from the second-level domain (google.com). I
expect it would fix this case, but what if other sites have the same
problem. Also, this seems strange because it doesn't parallel the
normal security model for the web; subdomains are not trusted by parent

Thoughts, preferences, suggestions?


[1] https://bugzilla.gnome.org/show_bug.cgi?id=771540
epiphany-list mailing list

Reply via email to