Google sign-in broken on Safari when using Private Mode

[nickjanssen]

Environment

• Operating System version: macOS High Sierra 10.13.4
• Browser version: Safari 11.1 (Private Mode)
• Firebase SDK version: 5.3.0
• Firebase Product: auth (auth, database, storage, etc)

The problem

signInWithRedirect and signInWithPopUp both don't work in Safari when using Private Mode.
Firefox and Chrome work fine.

signInWithPopUp says
The popup has been closed by the user before finalizing the operation.

signInWithRedirect redirects but then tries to close its window even though it's not a popup and then results in a blank screen.
Can't close the window since it was not opened by JavaScript

Steps to reproduce:

This was noticed by one of our users and we've confirmed the bug.
You can see it for yourself here (uses signInWithPopUp): https://editor.laska.io/login

[bojeil-google]

This is a known issue:
angular/angularfire#554
firebase/firebaseui-web#51
firebase/firebaseui-web#270

We rely on web storage to securely pass the result of the operation to the parent domain which is calling these APIs. Private mode browsing breaks this.

[zwily]

Short of actually fixing this, is there a way to detect that this has happened and tell the user not to use Private Browsing? Right now it is a really poor experience (just a white screen after logging in.)

[oliviervanbiervliet]

Short of actually fixing this, is there a way to detect that this has happened and tell the user not to use Private Browsing? Right now it is a really poor experience (just a white screen after logging in.)

For now, we're relying on a timeout in the originating page to detect something went wrong. A better workaround or a fix for the issue would be great.

[thisismydesign]

Having the same issue on Chrome in incognito mode. Reproducible via this CodeSandbox: https://codesandbox.io/s/github/componently-com/firebase-html-auth-starter

[veeralpatel]

https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/
Will this change from Apple make this issue more prevalent? Seems like a big deal.

[malcolmdeck]

We have mitigated what we think is the issue in Chrome incognito in recent versions of the SDK, but only for popup. Support for redirect flows is still a work in progress. We imagine that this will cover Apple's changes as well

[veeralpatel]

Does that fix work for https://github.com/google/google-api-javascript-client as well?

[malcolmdeck]

I have no idea how that other library works, but unless it depends on this library in some way (which I don't believe it does) then no. The mentioned fix was for this library only.

[veeralpatel]

My bad, I imagined Firebase's SDK relied on Google's JS client app under the hood.

[kaytwo]

We have mitigated what we think is the issue in Chrome incognito in recent versions of the SDK, but only for popup. Support for redirect flows is still a work in progress. We imagine that this will cover Apple's changes as well

@malcolmdeck can you share a pointer to the commit(s) that fixed this so we can try to use your workaround in other contexts?

[veeralpatel]

^^ +1. It seems like it is still an issue for: google/google-api-javascript-client#589.

[DanielRenne]

I have the same issue on iOS simulator launching a native app that is basically a PWA wrapper app. I have tried both authorizing with Google and Apple and both times after logging in I get the white screen of death. No redirect. Is this issue still being looked into?

[Benny739]

Same issue in our project with a native app that is basically a PWA wrapper.

[CetinSert]

Hi everyone! We might have found a very simple workaround: pwa-builder/PWABuilder#3286 (comment) (confirmed from multiple websites).