[Webkit-unassigned] [Bug 200307] New: SameSite Lax cookies aren't sent from tabs recovered from last Safari session when in scope of service workers
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jul 31 10:10:12 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=200307
Bug ID: 200307
Summary: SameSite Lax cookies aren't sent from tabs recovered
from last Safari session when in scope of service
workers
Product: WebKit
Version: Safari Technology Preview
Hardware: All
OS: All
Status: NEW
Severity: Major
Priority: P2
Component: Service Workers
Assignee: webkit-unassigned at lists.webkit.org
Reporter: xfalcox at gmail.com
Let there be a tab with a loaded web page which:
- contains a cookie with the SameSite bit set to "Lax"
- contains an active ServiceWorker proxying fetch requests
After killing the Safari app on iOS and reopening it, Safari will reload the tab.
During this reload the Lax cookie won't be sent in the requests to the server. If you refresh the page, even multiple times, the cookie will still not be sent.
If this cookie is a login cookie, the page will be show as if aren't logged in, resulting in a weird behavior for the user.
However, if you tap the address bar, make **no change** and tap go, navigating to the current page again, the cookie will be sent this time "fixing" the page.
I created a very simple and barebones demonstration of this bug:
- Bug reproduction website: https://rocky-fjord-97287.herokuapp.com/
- Source Code: https://github.com/xfalcox/safari-sw-samesite-bug
This bug affect the open source Forum software Discourse, and made me drop the offline browsing feature for Apple devices due to it.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190731/9d461890/attachment-0001.html>
More information about the webkit-unassigned
mailing list