Open davidje13 opened 4 years ago
This is a result of adding cross-origin-opener-policy
; removing temporarily as a workaround.
The workaround of using localStorage rather than sessionStorage is not ideal; reported on bugzilla with request for clarification here: https://bugzilla.mozilla.org/show_bug.cgi?id=1656768
According to the mozilla bugtracker, this will be fixed in the browser in version 85 (current version is 84)
Once this is confirmed fixed, the FireFox special-casing should be updated to only apply to FF < 85 (and once FF 86 is out, can be removed entirely, since we only support last 2 versions of browsers)
FireFox has changed the
sessionStorage
behaviour; it is no longer possible to setsessionStorage
data, redirect the user to another site, get redirected back, and read that data. This is how the loginnonce
is currently being handled.From the MDN description this appears to be intentional, so it may be necessary to switch to
localStorage
instead.This has also revealed that the user flow if the nonce is not present is not good; currently it invokes
setError('')
, which makes the page appear to hang. It should show a real error message. It might even be desirable to let the user override the nonce check by clicking a button in this case (intentional user interaction mitigates the same security risks as the nonce)