[Webkit-unassigned] [Bug 189952] New: Intelligent Tracking Prevention preventing BBC.co.uk sign in

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 25 10:28:17 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=189952

            Bug ID: 189952
           Summary: Intelligent Tracking Prevention preventing BBC.co.uk
                    sign in
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Macintosh
                OS: macOS 10.13
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: marc.burrows at bbc.co.uk

Created attachment 350755

  --> https://bugs.webkit.org/attachment.cgi?id=350755&action=review

Blank cookies

Hi,

This bug is following up on this discussion with John Willander on Twitter: https://twitter.com/Marc_Burrows/status/1043049662603841538

**Overview**
Since the release of Safari 12 we have had lots of feedback from users that can no longer access the parts of the BBC website that require sign in. This is affecting by no means all users of Safari 12, and we are unable to recreate it in house.

**Manifestation**
We have seen a few machines with the issue, and it manifests itself in the following manner:
- User has all the correct cookies set on bbc.co.uk
- Three cookies, which are set whilst on session.bbc.co.uk for bbc.co.uk, but are blank and are now “session” cookies. I believe this is what is meant by the cookies having been “partitioned”. See screenshot.
- Cookies on account.bbc.com and session.bbc.com seem to be set correctly

**Known Fixes**
- Clear entire history
- Go to account.bbc.com/account, quit Safari, open Safari, (maybe click sign in, can’t be sure) user appears signed in on bbc.co.uk

**FLOWS**

*Sign In*
Our flow to get the majority of the users in the UK signed in is as follows:
- User starts on https://www.bbc.co.uk
- Clicks "Sign In"
- User GETs to https://session.bbc.co.uk/session - no relevant cookies being set
- User 302 redirects to https://account.bbc.com/authorise - no cookies being set
- User 302 redirects to https://account.bbc.com/authoriseLogin - no relevant cookies being set
- User 302 redirects to https://account.bbc.com/signin - no relevant cookies being set
- User enters email & password, and clicks submit
- User POSTs to https://account.bbc.com/signin - ckns_session, ckns_jwt being set on .account.bbc.com
- User 302 redirects to https://account.bbc.com/authorise - no cookies being set
- User 302 redirects to https://session.bbc.co.uk/session/callback - ckns_rtkn being set on .session.bbc.co.uk, and ckns_idtkn (SECURE), ckns_atkn (SECURE), ckns_stateless (NOT SECURE), ckns_id (NOT SECURE), ckpf_sylphid (NOT SECURE) being set on .bbc.co.uk
- User 302 redirects back on https://www.bbc.co.uk and is signed in

*Normal Token Refresh when everything works*
- User starts on https://www.bbc.co.uk and needs a token refresh
- In iFrame - User goes to https://session.bbc.co.uk/session - no cookies being set
- iFrame redirected to https://account.bbc.com - This checks if a cookie is set, but no cookies are being set
- iFrame redirected back to https://session.bbc.co.uk/session - ckns_stateless, ckns_idtkn, ckns_atkn, ckns_id being set on .bbc.co.uk

*Stateful Token Refresh (Which is what we believe people are seeing because their cookies are blank)*
- User starts on https://www.bbc.co.uk and clicks sign in
- User GETs to https://session.bbc.co.uk/session - no relevant cookies being set
- User 302 redirects to https://account.bbc.com/authorise - no cookies being set
- User 302 redirects to https://session.bbc.co.uk/session/callback - no cookies being set
- User 302 redirects to https://session.bbc.com/session/affinity - no cookies being set
- User 302 redirects to https://session.bbc.co.uk/session/callback - ckns_rtkn being set on .session.bbc.co.uk, and ckns_idtkn (SECURE), ckns_atkn (SECURE), ckns_stateless (NOT SECURE), ckns_id (NOT SECURE), ckpf_sylphid (NOT SECURE) being set on .bbc.co.uk
- User 302 redirects back on https://www.bbc.co.uk but does *NOT* appear signed in as ckns_stateless, ckpf_sylphid and most importantly ckns_id are blank and are session cookies.

**Questions**
- Are we correct in that the three cookies on bbc.co.uk are being partitioned?
- What we don’t understand is why the three cookies on bbc.co.uk are blank (so are therefore set as tracking cookies?), because users are always interacting with pages on bbc.co.uk (within the UK). Is this due ITP? 
    - Users are unlikely to regularly interact with pages on bbc.com, unless they wish to update something with their account.
- Unless we are misunderstood, we don’t believe that the storage access API will resolve our issues, because this has nothing to do with embedding content from a different domain on our pages.
- Let us know if you need more info on anything.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180925/8d561bb3/attachment.html>

More information about the webkit-unassigned mailing list