sessionStorage no longer works for SSO in FireFox

[davidje13]

FireFox has changed the sessionStorage behaviour; it is no longer possible to set sessionStorage data, redirect the user to another site, get redirected back, and read that data. This is how the login nonce is currently being handled.

From the MDN description this appears to be intentional, so it may be necessary to switch to localStorage instead.

This has also revealed that the user flow if the nonce is not present is not good; currently it invokes setError(''), which makes the page appear to hang. It should show a real error message. It might even be desirable to let the user override the nonce check by clicking a button in this case (intentional user interaction mitigates the same security risks as the nonce)

[davidje13]

This is a result of adding cross-origin-opener-policy; removing temporarily as a workaround.

[davidje13]

The workaround of using localStorage rather than sessionStorage is not ideal; reported on bugzilla with request for clarification here: https://bugzilla.mozilla.org/show_bug.cgi?id=1656768

[davidje13]

According to the mozilla bugtracker, this will be fixed in the browser in version 85 (current version is 84)

Once this is confirmed fixed, the FireFox special-casing should be updated to only apply to FF < 85 (and once FF 86 is out, can be removed entirely, since we only support last 2 versions of browsers)

[davidje13]

this has been tidied up now, mostly in e347f27cafe8bb9c21cce371ed12c9a531bdf837