BUG-000153460 for ArcGIS Online

漏洞 ID 编号	BUG-000153460
已提交	November 2, 2022
上次修改时间	August 5, 2025
适用范围	ArcGIS Online
找到的版本	10.2
操作系统	Apple iOS
操作系统版本	16.x
状态	Will Not Be Addressed

附加信息

This issue is caused by the browser security constraints; please see this doc: https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/, you can find details under the “Origin-Only Referrer for Domains Without User Interaction” section. With this security constraint, I don’t think we can do something to fix it. Why this is not happening in instant app: The proxy service used in instant app and ExB is not the same service. They are two pieces of data. The two data have different restrictions on access to domain: The service used by ExB, the restricted domain is the specific ExB app: https://experience.arcgis.com/experience/7e5454f17e3144f69696ff7220a2edce The service used by instant app has a restricted domain: https://disasterresponse.maps.arcgis.com (not the specific instant app) We created our own proxy item to simulate the user's environment. If the domain is restricted to a specific app and embedded in *.esri.com, the results of ExB and instant app are the same, and both pop-up boxes appear under Safari. Workaround: If possible, you can allow users to set the domain restriction for server data access to: https://experience.arcgis.com. Not limited to specific apps.

解决办法

Add https://experience.arcgis.com to the list of referrer URLs for secured service.
Disable the Prevent Cross-Site Tracking option in the device settings for the browser.