[Webkit-unassigned] [Bug 188165] iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 3 16:44:39 PDT 2018


--- Comment #11 from David Cowden <dcow at eero.com> ---
(In reply to Matt W from comment #10)
> ... Per all the other comments, removing Samesite entirely from our
> cookie does solve the problem - but obviously that is not a realistic
> solution.

Isn't an OIDC flow technically just a "benevolent cross-site transfer"? It's the exact attack the SameSite attribute (applied to a CSRF cookie) is trying to defend against. How does the browser distinguish an intended redirect from a malicious one?

Of course if the behavior is broken even for RFC7231 "safe" flows, that's a problem.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181003/05bd69f8/attachment.html>

More information about the webkit-unassigned mailing list