[Webkit-unassigned] [Bug 188165] iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Oct 3 16:44:39 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=188165
--- Comment #11 from David Cowden <dcow at eero.com> ---
(In reply to Matt W from comment #10)
>
> ... Per all the other comments, removing Samesite entirely from our
> cookie does solve the problem - but obviously that is not a realistic
> solution.
>
Isn't an OIDC flow technically just a "benevolent cross-site transfer"? It's the exact attack the SameSite attribute (applied to a CSRF cookie) is trying to defend against. How does the browser distinguish an intended redirect from a malicious one?
Of course if the behavior is broken even for RFC7231 "safe" flows, that's a problem.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181003/05bd69f8/attachment.html>
More information about the webkit-unassigned
mailing list