[Webkit-unassigned] [Bug 179348] "Allow from websites I visit" privacy setting strips cookies from 302 redirects on <video>
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Nov 8 23:44:59 PST 2017
https://bugs.webkit.org/show_bug.cgi?id=179348
--- Comment #3 from Jer Noble <jer.noble at apple.com> ---
(In reply to Jeremy Selier from comment #0)
> Similar to this old bug: https://bugs.webkit.org/show_bug.cgi?id=139683
>
> 1. Load website at foo.com
> 2. Website creates a <video> and points to bar.com in src.
> 3. bar.com does a 302 redirect to bar.com/somethingelse with a set-cookie
>
> Expected: set-cookie is indeed set on redirect
> Actual: set-cookie is not set on bar.com/somethingelse query
Yes, this in behaving as intended. Responses from bar.com in a foo.com context can't set cookies. You'll find the same behavior with <img src="http://bar.com/somethingelse">.
> If I change my setting to "Always allow". It works fine. Also checked same
> code in latest iOS on iPhone and it also fail there.
> The interesting part is that if I open bar.com in a new tab, the set-cookie
> is properly set on redirect to bar.com/somethingelse
This is also behaving as intended; you've visited bar.com in a first-party context, so subsequent requests in a third-party context will be allowed to set and read cookies (for a while, until Intelligent Tracking Protection kicks in).
> All others browsers tested work fine. Let me know if you need a repro case.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171109/634de9d2/attachment-0001.html>
More information about the webkit-unassigned
mailing list