[Webkit-unassigned] [Bug 198181] Cookies with SameSite=None or SameSite=invalid treated as Strict

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 27 02:19:45 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=198181

achkim <hakim.ouazene.partner at decathlon.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hakim.ouazene.partner at decat
                   |                            |hlon.com

--- Comment #27 from achkim <hakim.ouazene.partner at decathlon.com> ---
(In reply to billy.richardson from comment #24)
> Hey Robert,
> My team and I are in the same position as you.
> 
> I am currently not sending the SameSite cookie attribute to the following
> User Agents:
> 
> ^.*iPhone; CPU iPhone OS 1[0-2].*$
> ^.*iPad; CPU OS 1[0-2].*$
> ^.*iPod touch; CPU iPhone OS 1[0-2].*$
> ^.*Macintosh; Intel Mac OS X.*Version\/1[0-2].*Safari.*$
> 
> This has been in place in our Production for several weeks without any user
> complaints. As always, you should verify yourself too :)
> 
> Regards,
> Billy Richardson

Hello Billy,
can you te(In reply to billy.richardson from comment #24)
> Hey Robert,
> My team and I are in the same position as you.
> 
> I am currently not sending the SameSite cookie attribute to the following
> User Agents:
> 
> ^.*iPhone; CPU iPhone OS 1[0-2].*$
> ^.*iPad; CPU OS 1[0-2].*$
> ^.*iPod touch; CPU iPhone OS 1[0-2].*$
> ^.*Macintosh; Intel Mac OS X.*Version\/1[0-2].*Safari.*$
> 
> This has been in place in our Production for several weeks without any user
> complaints. As always, you should verify yourself too :)
> 
> Regards,
> Billy Richardson

Hello,
Billy sent me this response
<If "%{HTTP_USER_AGENT} !~ /(iPhone; CPU iPhone OS 1[0-2]|iPad; CPU OS 1[0-2]|iPod touch; CPU iPhone OS 1[0-2]|Macintosh; Intel Mac OS X.*Version\x2F1[0-2].*Safari)/i">
    Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
</If>

Here is a demo page I setup: https://demo.richardson.dev/safarisamesiteapache/ 

If this helped, please share it with others!

and i have made this one on headers

- edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure env=!BUG_SAME_SITE
    setenvif:
    - User-Agent ^.*iPhone; CPU iPhone OS 1[0-2].*$ BUG_SAME_SITE
    - User-Agent ^.*iPad; CPU OS 1[0-2].*$ BUG_SAME_SITE
    - User-Agent ^.*iPod touch; CPU iPhone OS 1[0-2].*$ BUG_SAME_SITE
    - User-Agent ^.*Macintosh; Intel Mac OS X.*Version\/1[0-2].*Safari.*$ BUG_SAME_SITE

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191227/a734ac88/attachment-0001.htm>

More information about the webkit-unassigned mailing list