[Webkit-unassigned] [Bug 198181] New: Cookies with SameSite=None or SameSite=invalid treated as Strict
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 23 09:48:12 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=198181
Bug ID: 198181
Summary: Cookies with SameSite=None or SameSite=invalid treated
as Strict
Product: WebKit
Version: WebKit Nightly Build
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: New Bugs
Assignee: webkit-unassigned at lists.webkit.org
Reporter: rowan at merewood.org
Cookies specifying `SameSite=None` or sending an invalid value, e.g. `SameSite=nonsense` appear to be treated as `Strict` and are therefore not being sent with cross-site requests as intended.
There is this recent bug: https://bugs.webkit.org/show_bug.cgi?id=196927 which appears related and also references https://httpwg.org/http-extensions/rfc6265bis.html#the-samesite-attribute-1 for the correct behaviour.
You can see this demonstrated in this example:
1. Set a range of cookies with different `SameSite` values:
https://peaceful-wing.glitch.me/setcookies
2. Verify those cookies are set in a same-site context:
https://peaceful-wing.glitch.me/
3. See which cookies are sent in a cross-site context:
https://merewood.org/samesite.html
>From the example site's output
Expected cookies in the cross-site context:
{
"remote-site-unspecified": "unspecified",
"remote-site-none-nosecure": "none",
"remote-site-none-secure": "none-secure",
"remote-site-nonsense": "nonsense"
}
Actual cookies in the cross-site context:
{
"remote-site-unspecified": "unspecified"
}
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190523/85839bb1/attachment.html>
More information about the webkit-unassigned
mailing list