I wasn't able to repro this when attempting on chrome dev

I can still recreate this with Canary.

https://drive.google.com/a/google.com/file/d/128yiewtkF5tApbw0Gzn44izYBLzpX5Xd/view?usp=sharing here's a video. Requires an @google account to view, sorry. The odd notification popped up meaning I probably can't share externally. Let me know if this is a problem.

Doh! Thanks for video. I wonder if it's a race or it's specific to gmail login (don't recall what I tried) but we can investigate. It does seem lower priority as you're able to get past it with re-launch but obviously not ideal :(

I think there are a few edge cases with cct opened from webapk and coming back that we'll probably need to take a deeper dive into.

I reproduced this and at this point I have no clue what's going on. I will look into it later today and explain what's going on.

Let's observe what happens on desktop:

When user chooses "Sign In With Google" a new tab is opened. Initial load is served from thirdparty.aliexpress.com but then we're redirected to accounts.google.com. We choose an account or log-in and we're taken back to thirdparty.aliexpress.com, which then redirects to login.aliexpress.com. The last one performs some work and sends the user to https://m.aliexpress.com/snscb.htm?partner=google, which calls window.close(). If you take a look at the source you'll see it's a primary task of this page. At this point user is back on the original tab which informs them that login succeeded.

In WebAPKs many of the same things happen:

Instead of the new tab we're taken to a CCT in a new task. User logs in at accounts.google.com and aliexpress finally sends them to https://m.aliexpress.com/snscb.htm?partner=google. This page is in the scope of a WebAPK (as opposed to the thirdparty.aliexpress.com and login.aliexpress.com), so WebAPK captures the URL and the page loads in the WebAPK. This page however calls window.close(), which closes the WebAPK.

It's worth noting that CCT is not a problem here - exactly the same thing would happen if the user was taken to a new browsing context in a Chrome tab. WebAPK would still capture a redirect to a page that calls window.close().

A WebAPK here is a browsing context that is capable of capturing selected URLs. This is something new and Aliexpress shows how things can go badly with this new paradigm. CC'ing some Desktop PWA folks, as the same issue would happen on Desktop if/once Desktop PWAs are allowed to capture in-scope URLs.

My recommendation is to talk to Aliexpress and ask them to rework their login mechanism, so that window.close() happens outside of the PWA scope (e.g. on login.aliexpress.com). I don't see us fixing this anytime soon, at least I don't have any idea how to fix this.

Marking as "WontFix" and sending to Yaron, maybe he will have some more enlightened ideas.

+sbirch

Interesting bug! Logins via other origins will likely be worse on desktop PWAs as we won't have CCTs. +owen for thoughts