Description of the issue:
In Netdata, users can access different “Agent” pages, like:
https://newyork.my-netdata.io/
https://london.my-netdata.io/
which share the same single sign-on system, redirecting to https://netdata.cloud/account/sign-in-agent login page. The sign-on domain (netdata[dot]cloud) is then loaded as iframe on individual pages, like *.my-netdata.io, and it reads cookies set during sign-in and send them via window.parent.postMessage
.
Unfortunately Brave shield is blocking that communication. Parent pages don’t receive any message from the iframe. It can be solved by switching the Shield setting from “Cross-site cookies blocked” to “All cookies allowed” on individual Agent pages (like newyork.my-netdata.io), but it’s problematic, because users can use even dozens of different pages with single login. It would be better if there was an option to whitelist only netdata[dot]cloud SSO page.
Is blocking of window.parent.postMessage()
intentional in this case?