[Webkit-unassigned] [Bug 198181] Cookies with SameSite=None or SameSite=invalid treated as Strict
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri May 24 11:48:54 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=198181
--- Comment #7 from Joseph Pecoraro <joepeck at webkit.org> ---
> > > Yep, and it is has already been fixed if I am remembering correctly. Fix may
> > > not have shipped, yet.
Correct, I don't believe the CFNetwork change has shipped yet. I waited to change Web Inspector until our Network stack made the change.
> > Does "fixed" mean that `Set-Cookie: name=value; SameSite=InvalidValue` is
> > interpreted as `Set-Cookie: name=value;` (which is what this bug is asking
> > for)? Or as `Set-Cookie: name=value; SameSite=Strict` (which is what that
> > Inspector patch does)?
>
> Then it sounds like the inspector patch is wrong (I haven’t looked at it).
>
>
> > I'm hoping for the former. :)
> >
>
> The former.
Web Inspector should be doing the former:
https://trac.webkit.org/browser/trunk/Source/WebInspectorUI/UserInterface/Models/Cookie.js#L117
```
static parseSameSiteAttributeValue(attributeValue)
{
if (!attributeValue)
return WI.Cookie.SameSiteType.None;
switch (attributeValue.toLowerCase()) {
case "lax":
return WI.Cookie.SameSiteType.Lax;
case "strict":
return WI.Cookie.SameSiteType.Strict;
}
return WI.Cookie.SameSiteType.None;
}
```
We also have tests:
https://trac.webkit.org/browser/trunk/LayoutTests/inspector/unit-tests/cookie.html#L173
```
// SameSite with unknown value is ignored.
test(`name=value; SameSite=invalid`, {
name: "name",
value: "value",
expires: null,
maxAge: null,
path: null,
domain: null,
secure: false,
httpOnly: false,
sameSite: WI.Cookie.SameSiteType.None,
});
```
This was all done in:
https://bugs.webkit.org/show_bug.cgi?id=196927
commit 10b4574f710b67f24dc0b219b9c0f67a2014f101
Author: pecoraro at apple.com <pecoraro at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Apr 15 21:53:48 2019 +0000
Web Inspector: SameSite parsing should be stricter
https://bugs.webkit.org/show_bug.cgi?id=196927
<rdar://problem/42291601>
--
• Are you seeing otherwise?
• Are you using Safari Technology Preview?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190524/f9b533da/attachment-0001.html>
More information about the webkit-unassigned
mailing list