Commit db1e1924 authored by Robert Knight's avatar Robert Knight

Always use OAuth if cookie storage is blocked

If third party cookies are blocked then OAuth is the only option for
authentication. Third party cookies may be blocked either by
privacy-enhancing extensions or browser settings, for example:

In Safari:
 1. Go to Settings -> Privacy
 2. Set "Cookies and website data" to "Allow from current website only"

In Chrome:
 1. Go to chrome://settings/content/cookies
 2. Enable "Block third-party cookies"
 3. Check that the h service domain is not listed under "Allow", which
    is something that the Hypothesis extensions do automatically.

Once OAuth has been shipped for all users, this code can be deleted.
parent ca516d3a
...@@ -109,10 +109,24 @@ function processAppOpts() { ...@@ -109,10 +109,24 @@ function processAppOpts() {
} }
} }
function canSetCookies() {
// Try to add a short-lived cookie. Note the `document.cookie` setter has
// unusual semantics, this doesn't overwrite other cookies.
document.cookie = 'cookie-setter-test=1;max-age=5';
return document.cookie.indexOf('cookie-setter-test=1') !== -1;
}
function shouldUseOAuth() { function shouldUseOAuth() {
if (serviceConfig(settings)) { if (serviceConfig(settings)) {
// If the host page supplies annotation service configuration, including a
// grant token, use OAuth.
return true;
}
if (!canSetCookies()) {
// If cookie storage is blocked by the browser, we have to use OAuth.
return true; return true;
} }
// Otherwise, use OAuth only if the feature flag is enabled.
return settings.oauthClientId && settings.oauthEnabled; return settings.oauthClientId && settings.oauthEnabled;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment