[Webkit-unassigned] [Bug 161780] New: iOS 10 video player does not send HttpOnly cookies; missing test coverage
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 8 17:39:59 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=161780
Bug ID: 161780
Summary: iOS 10 video player does not send HttpOnly cookies;
missing test coverage
Classification: Unclassified
Product: WebKit
Version: Other
Hardware: iOS
OS: Other
Status: NEW
Severity: Major
Priority: P2
Component: Media Elements
Assignee: webkit-unassigned at lists.webkit.org
Reporter: fabian at tag1consulting.com
Created attachment 288370
--> https://bugs.webkit.org/attachment.cgi?id=288370&action=review
Adds the missing test coverage for HttpOnly cookies.
OS had a nasty bug in iOS 7.0.4, where cookies had been missing for requests send from VideoPlayers. (Original openradar: http://openradar.appspot.com/radar?id=5238098090786816; test script: https://www.bizify.me/test-if-your-ios-device-is-broken/)
This bug is back in iOS 10 (Visit: https://www.bizify.me/test-if-your-ios-device-is-broken/), though neither Safari nightly nor Safari Technology preview are affected.
This time however only the Javascript allowed cookies are send to the server, not the HttpOnly cookies.
This test coverage is missing in WebKit as well, because it also does not specifically test for HttpOnly cookies, which usually are excluded from client side Javascript.
Patch is attached to fix the test coverage at least, but should be fixed in iOS 10 ASAP as it makes authentication of users for Videos impossible again.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160909/f9895328/attachment.html>
More information about the webkit-unassigned
mailing list