Epiphany web app

[essicolo]

The Epiphany web browser (as known as Gnome Web) allow to create a desktop shortcut to embed web apps into the desktop (Menu > Save as web application). I created a web app with epiphany 3.18.5 for oasis.sandstorm.io. Grains don't load and return:

Error: Unauthorized [403]
    at Proxy.makeContext (server/proxy.js:1485:15)
    at server/proxy.js:1701:20
    at C (/node_modules/es6-promise.js:12:57)
    at /node_modules/es6-promise.js:17:252
    at t (/node_modules/es6-promise.js:9:473)
    at process._tickCallback (node.js:458:13)

[kentonv]

Hi,

Is it possible that the browser is blocking cookies on the embedded iframes? These iframes will be at a different host than the outer frame, although the host is a subdomain. The error indicates that the cookie is missing on the iframed content, which would happen if the browser refuses to set cookies. In the past we've seen this happen for people running their own private servers where they set the wildcard host to be under a different domain than the main host -- browsers which block "third-party" cookies would then block the iframe cookies. But Oasis' wildcard host is a subdomain of the main host, so it's surprising to see this happen there.

[zarvox]

Several things do not work well with epiphany.

---

First, websockets do not work, so sockjs falls back to XHR polling:

[Error] Refused to connect to 'ws://local.sandstorm.io:6080/sockjs/512/jxaswymt/websocket' because it violates the following Content Security Policy directive: "connect-src * 'self' http://static.local.sandstorm.io:6080".

[Error] SecurityError: DOM Exception 18: An attempt was made to break through the security policy of the user agent.
    (anonymous function) (ddp-client.js:1363)
    websocket (ddp-client.js:1363)
    _try_next_protocol (ddp-client.js:1285)
    _didClose (ddp-client.js:1193)
    onfinish (ddp-client.js:1119)
    emit (ddp-client.js:239)
    onfinish (ddp-client.js:2108)
    emit (ddp-client.js:239)
    onreadystatechange (ddp-client.js:936)

---

Second: epiphany is ignoring the Set-Cookie on the HTTP 303. I straced my frontend to see what the actual requests and replies looked like, and here's a cleaned-up snippet from the log:

first request:

GET /_sandstorm-init?sessionid=68a5b209a73eccbea7d86f5e9c4bf680401917d47f6ac912139665b7bd8381e0&path=/ HTTP/1.1
x-forwarded-proto: http
x-forwarded-port: 6080
x-forwarded-for: 127.0.0.1
cookie: __cfduid=d9fd393fcb8d570896532ca38f21936281466809966
connection: Keep-Alive
accept-language: en-us
accept-encoding: gzip, deflate
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
user-agent: Mozilla/5.0 (Fedora; Linux x86_64) AppleWebKit/602.1 (KHTML, like Gecko) Version/8.0 Safari/602.1 Epiphany/3.18.5
referer: http://local.sandstorm.io:6080/grain/G4CcFowfnBdZvXZZcAdxWY
dnt: 1
host: 8a365988ef8486647bfcf69cf994efad.local.sandstorm.io:6080

first reply:

HTTP/1.1 303 See Other
X-Content-Type-Options: nosniff
Set-Cookie: sandstorm-sid=68a5b209a73eccbea7d86f5e9c4bf680401917d47f6ac912139665b7bd8381e0; Max-Age=31536000; HttpOnly
Cache-Control: no-cache, private
Location: /
Date: Fri, 24 Jun 2016 23:27:07 GMT
Connection: keep-alive
Transfer-Encoding: chunked

0

second request:

GET / HTTP/1.1
x-forwarded-proto: http
x-forwarded-port: 6080
x-forwarded-for: 127.0.0.1
cookie: __cfduid=d9fd393fcb8d570896532ca38f21936281466809966
connection: Keep-Alive
accept-language: en-us
accept-encoding: gzip, deflate
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
user-agent: Mozilla/5.0 (Fedora; Linux x86_64) AppleWebKit/602.1 (KHTML, like Gecko) Version/8.0 Safari/602.1 Epiphany/3.18.5
referer: http://local.sandstorm.io:6080/grain/G4CcFowfnBdZvXZZcAdxWY
dnt: 1
host: 8a365988ef8486647bfcf69cf994efad.local.sandstorm.io:6080

This is likely either a bug in Epiphany or WebKitGTK.