[Webkit-unassigned] [Bug 188165] iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 4 03:32:20 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=188165
--- Comment #13 from Lode Claassen <lodeclaassen at xs4all.nl> ---
A tricky part of the https://tools.ietf.org/html/rfc7231#section-4.2.1 spec is this:
> When a resource is constructed such that parameters within the
> effective request URI have the effect of selecting an action, it is
> the resource owner's responsibility to ensure that the action is
> consistent with the request method semantics. For example, it is
> common for Web-based content editing software to use actions within
> query parameters, such as "page?do=delete". If the purpose of such a
> resource is to perform an unsafe action, then the resource owner MUST
> disable or disallow that action when it is accessed using a safe
> request method. Failure to do so will result in unfortunate side
> effects when automated processes perform a GET on every URI reference
> for the sake of link maintenance, pre-fetching, building a search
> index, etc.
To me (but I'm not a professional reading specs :)) sounds like browsers are free to determine whether a request is unsafe even though it is a GET request, e.g. based on query parameters.
What we see after more testing is that this is even an issue without query parameters, it seems just because we redirect from a different domain. So `bit.ly/x` > `example.org/` won't send SameSite=Lax cookies.
What I find weird, is that Safari 12 on MacOS desktop doesn't have this issue. So iOS 12 Safari is behaving differently here.
So if this is not a bug but a feature, it would be nice if both browsers behave the same. Than we can expect other browsers to follow and can adjust our flows. Now it feels like a bug.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181004/787e3f6a/attachment.html>
More information about the webkit-unassigned
mailing list