Samsung Internet Version: version 22.0.6.9 and later
URLs (if applicable) : https://order.chatfood.io
Other browsers tested:
Safari: No issues
Firefox: Same issues
Chrome: Same issues
Edge: Same issues
What steps will reproduce the problem?
(1) Open Opera on an Android device.
(2) Visit the PWA website order.chatfood.io, which hosts multiple Progressive Web Applications (PWAs) within the same domain.
(3) Download and install multiple PWAs from the website, each associated with different restaurant owners. For example, you can download PWA1: https://order.chatfood.io/burger-king/menu, PWA2:https://order.chatfood.io/texas-chicken/menu
(4) Click the PWA1 and order delivery food, allow geolocation permission when it prompts
(5) Click on PWA2 on your mobile device to order pickup food. Note that PWA2 does not explicitly request geolocation permission, but it can access geolocation data since it belongs to a different restaurant owner. This allows them to track your geolocation without your explicit consent.
What is the expected result?
Different PWAs with distinct Compute App IDs should isolate their permissions.
What happens instead?
The PWAs do not isolate their permissions, leading to the issue where one PWA can access permissions granted to another PWA within the same domain.