[Webkit-unassigned] [Bug 139683] New: "Allow from current website only" privacy setting strips cookies from 302 redirects

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Dec 16 10:54:03 PST 2014 

https://bugs.webkit.org/show_bug.cgi?id=139683

            Bug ID: 139683
           Summary: "Allow from current website only" privacy setting
                    strips cookies from 302 redirects
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Macintosh
                OS: Mac OS X 10.10
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ptoomey3 at biasedcoin.com

We are seeing cookies stripped from requests that result from a 302 redirect for users using Safari 8 with the "Allow from current website only" privacy setting. This was discovered while debugging an issue where users were unable to authorize an application using OAuth with Safari. A typical OAuth flow is:

1. Client application/site does a 302 redirect (or directly links to) the OAuth provider.
2. OAuth provider validates the user is logged in and lets the user authorize the client application.
3. OAuth provider does a 302 redirect (or meta-refresh) back to the client application with a `code` to be used to exchange for a valid OAuth token.

We are seeing cookies stripped from the requests resulting from the 302 redirect that occurs in step 1 and step 3. Despite them being functionally similar, the meta-refresh redirection approach does not strip cookies from the request back to the client application. From a privacy perspective it seems these two approaches (302 vs. meta-refresh) should work the same (i.e. they should either both strip cookies or both not strip cookies). From a functional perspective, many sites rely on cookie bearing 302 redirects for OAuth (and likely other use cases). So, the hope is that this is a bug and that cookies should be sent along with requests that result from a 302 redirect (or meta-refresh).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141216/93dcdd35/attachment-0002.html>

More information about the webkit-unassigned mailing list