CODEWITHSUNDEEP
authenticationgoogle-chromepopupopenid-connectpostmessage
Chris Riddle
Chris Riddle

Reputation: 1

Preventing the parent of a popup from being discarded by Chrome memory saver feature

We have a system where authentication of the user happens in a popup window. The popup communicates the auth success to the parent page via a post message (which includes the OIDC auth code) once complete. The parent page then completes the sign-in and logs the user in.

However, since this auth experience can take the user out of the browser (e.g. to get an OTP code from their email client), especially on a mobile device, then the parent browser tab can get discarded by Chromes memory saver feature. This means that the popup window doesn't have reference to the parent window (via window.opener), so there is no way to send the post message. Also, when the user navigates back to the parent page, the page is reloaded, and the page state is gone (e.g. the sign-in modal isn't active anymore).

Since we're a third party auth product, we can't control the parent page (e.g. getting them to perform a second sign-in automatically via a silent auth, or even showing the modal if it does disappear when the page gets reloaded).

Here's how to reproduce in Chrome (132.0.6834.111 (Official Build) (arm64)):

// Step 1. On the parent page
const popup = return window.open(popupPageUrl, "Popup page name");


// Step 2. On the popup page - assert that there is a window opener
console.log(window.opener); // should print out the parent page ref


// Step 3. Discard the parent tab via chrome://discards/, force urgent discard of the parent tab. This would usually be done automatically if Chrome/the device is low on resources, and the Chrome memory saver kicks in.


// Step 4. On the popup page - assert that the window opener is null
console.log(window.opener); // should now print null
window.opener.postMessage(...); // throws a null ref exception

Is there anyway to prevent this from happening, or reduce the likely-hood of this happening? I'm all out of ideas.

We've tried to open up a broadcast channel, that didn't work due to cross domain issues. We tried a ping-pong post message technique to try to keep the windows active, no luck.

Upvotes: 0

Views: 5

Answers (0)

Related Questions