Need to set user-agent for Duo remember me
The "Remember me" checkbox in the Duo Security authentication dialog doesn't work in Fedora 38's NetworkManager-openconnect webview. (I'm using the dwmw2 copr repo.)
The symptoms are the same as #73 (closed) , but the cause is different.
This worked in Fedora 36 and Fedora 37.
(Aside: Epiphany, too, has difficulty with this Duo "remember me" checkbox. I tested Epiphany at the Duo Security demo: https://demo.duo.com/googledrive . The demo thinks that Epiphany doesn't have cookies enabled.)
(Aside: The checkbox does work when I use an alternative, gp-saml-gui, both with webkit2 4.0 and webkit2 4.1. It is unaffected by this problem because it overrides the default user-agent string and, therefore, webkit2gtk webview is not detected as safari by Duo Security's user-agent sniffing. If I remove the user-agent override, I experience the same problem that I'm experiencing with NetworkManager-openconnect: clicking the Remember me checkbox disables the entire authentication dialog and I must cancel and start over.)
I've found that the Duo Security authentication dialog is detecting the user-agent of the webview as safari. It assumes that any safari browser won't accept third-party cookies, even if the cookie has SameSite=None; Secure attributes. For safari browsers, it attempts a work-around of opening a new hidden window to set the cookie that way. The webkit2gtk webview (and Epiphany) doesn't like this workaround. The result is that the checkbox doesn't work; all the inputs become disabled (as shown in the screenshot of #73 (closed)).
The checkbox works if I set the user-agent to something other than Safari. (The javascript logic can be seen here: https://api-51f72e10.duosecurity.com/frame/static/js/page/v3/prompt.js?v=72a73 . Look for createCookie and isThirdPolicyBrowser.)
In my local build of NetworkManager-openconnect, I added these two lines:
WebKitSettings *settings = webkit_web_view_get_settings(WEBKIT_WEB_VIEW(webView));
webkit_settings_set_user_agent(settings, "GNOME/NetworkManager-openconnect");
to auth-dialog/main.c .
And now the "Remember me" checkbox in the Duo Security authentication dialog works.
The problem could well go away with an update to webkit2gtk (to allow javascript to popup hidden windows) or to Duo Security's javascript logic (to not rely on user-agent sniffing). But I believe setting the user-agent as I've shown above is a reasonable change.
BTW, I also tried this setting:
webkit_settings_set_javascript_can_open_windows_automatically(settings, true);
but it didn't help.