[Webkit-unassigned] [Bug 200307] New: SameSite Lax cookies aren't sent from tabs recovered from last Safari session when in scope of service workers

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 31 10:10:12 PDT 2019


https://bugs.webkit.org/show_bug.cgi?id=200307

            Bug ID: 200307
           Summary: SameSite Lax cookies aren't sent from tabs recovered
                    from last Safari session when in scope of service
                    workers
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: All
                OS: All
            Status: NEW
          Severity: Major
          Priority: P2
         Component: Service Workers
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: xfalcox at gmail.com

Let there be a tab with a loaded web page which:

- contains a cookie with the SameSite bit set to "Lax"
- contains an active ServiceWorker proxying fetch requests

After killing the Safari app on iOS and reopening it, Safari will reload the tab.

During this reload the Lax cookie won't be sent in the requests to the server. If you refresh the page, even multiple times, the cookie will still not be sent.

If this cookie is a login cookie, the page will be show as if aren't logged in, resulting in a weird behavior for the user.

However, if you tap the address bar, make **no change** and tap go, navigating to the current page again, the cookie will be sent this time "fixing" the page.

I created a very simple and barebones demonstration of this bug:

- Bug reproduction website: https://rocky-fjord-97287.herokuapp.com/

- Source Code: https://github.com/xfalcox/safari-sw-samesite-bug

This bug affect the open source Forum software Discourse, and made me drop the offline browsing feature for Apple devices due to it.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190731/9d461890/attachment-0001.html>


More information about the webkit-unassigned mailing list