Closed klemay closed 5 years ago
The embedded Hypothesis client stores details (an API token) for the logged-in user in local storage. Third-party cookie blocking typically prevents third-party iframes (ie. those with a different origin than the tab itself) from storing data in local storage as well, because otherwise that would be used to bypass cookie blocking. The end result is that the client typically cannot persist the login if third-party cookies are blocked. Note that the h website login is remembered, so clicking the "Log in" link in the client is enough to log in again. There shouldn't be a need to re-enter the username and password.
The browser extension doesn't currently change the client's behaviour here and hence the same thing happens. We probably could make use of extension-specific APIs to avoid this problem. I think Nick suggested doing that aeons ago.
Thanks, @robertknight, that's really helpful! I'm going to close this issue and create a separate backlog item to be prioritized.
Note for developers: This is a question, not a feature request at this time. Depending on the answer to this question, a feature request may come out of it.
Twitter user nicknikolov reached out to us because the Chrome extension was logging him out every time he opened a new tab and every time he did a page reload:
https://twitter.com/nicknikolov/status/1058095765673951234
Turns out he had 3rd-party cookies blocked by default, and whitelisting
https://hypothes.is/
did not resolve the issue. He had to turn on the option to allow 3rd party cookies by default. I have reproduced this on the latest version of Chrome for Mac (Mojave).The main questions here are:
Steps to reproduce
https://hypothes.is/
Expected behavior
Since it's within the same browsing session, you'd expect to still be logged in
Actual behavior
You're required to log back in.