[Webkit-unassigned] [Bug 188165] iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication

Wed Oct 3 17:41:23 PDT 2018

https://bugs.webkit.org/show_bug.cgi?id=188165

--- Comment #12 from Matt W <matt at nextdoor.com> ---
David,
  You're right - OIDC is indeed a benevolent cross-site transfer. I see this issue has having two parts.

First, Webkit went off and probably did the "right" thing by following the RFC explicitly and when Samesite=Lax, they go ahead and block the passing of the cookie to the original server on unsafe request types (request_mode=form_post). This is really just a more "RFC-correct" way of enforcing this behavior, which it seems like other browsers may have been more flexible on.

Second, and this is really the bug I think, it seems that WebKit is also blocking SAFE [1] web requests like GETs which are used when request_mode=query. The RFC [2] clearly specifies that these "safe" methods should be allowed to pass the cookie along even in a cross-site pattern: 

  "In the
   interests of providing a drop-in mechanism that mitigates the risk of
   CSRF attacks, developers may set the "SameSite" attribute in a "Lax"
   enforcement mode that carves out an exception which sends same-site
   cookies along with cross-site requests if and only if they are top-
   level navigations which use a "safe" (in the [RFC7231] sense) HTTP
   method."

It seems to me that this is the crux of the bug - that the Samesite:Lax attribute cannot be used with this new version of Webkit, even though the RFC says it should be fine.

1: https://tools.ietf.org/html/rfc7231#section-4.2.1
2: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181004/c8bf4f5f/attachment.html>