[Webkit-unassigned] [Bug 198181] Cookies with SameSite=None or SameSite=invalid treated as Strict

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri May 24 11:48:54 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=198181

--- Comment #7 from Joseph Pecoraro <joepeck at webkit.org> ---
> > > Yep, and it is has already been fixed if I am remembering correctly. Fix may
> > > not have shipped, yet.

Correct, I don't believe the CFNetwork change has shipped yet. I waited to change Web Inspector until our Network stack made the change. 


> > Does "fixed" mean that `Set-Cookie: name=value; SameSite=InvalidValue` is
> > interpreted as `Set-Cookie: name=value;` (which is what this bug is asking
> > for)? Or as `Set-Cookie: name=value; SameSite=Strict` (which is what that
> > Inspector patch does)?
>
> Then it sounds like the inspector patch is wrong (I haven’t looked at it).
> 
> 
> > I'm hoping for the former. :)
> > 
> 
> The former.

Web Inspector should be doing the former:
https://trac.webkit.org/browser/trunk/Source/WebInspectorUI/UserInterface/Models/Cookie.js#L117


```
    static parseSameSiteAttributeValue(attributeValue)
    {
        if (!attributeValue)
            return WI.Cookie.SameSiteType.None;

        switch (attributeValue.toLowerCase()) {
        case "lax":
            return WI.Cookie.SameSiteType.Lax;
        case "strict":
            return WI.Cookie.SameSiteType.Strict;
        }

        return WI.Cookie.SameSiteType.None;
    }
```

We also have tests:
https://trac.webkit.org/browser/trunk/LayoutTests/inspector/unit-tests/cookie.html#L173

```
    // SameSite with unknown value is ignored.
    test(`name=value; SameSite=invalid`, {
        name: "name",
        value: "value",
        expires: null,
        maxAge: null,
        path: null,
        domain: null,
        secure: false,
        httpOnly: false,
        sameSite: WI.Cookie.SameSiteType.None,
    });
```

This was all done in:
https://bugs.webkit.org/show_bug.cgi?id=196927

    commit 10b4574f710b67f24dc0b219b9c0f67a2014f101
    Author: pecoraro at apple.com <pecoraro at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
    Date:   Mon Apr 15 21:53:48 2019 +0000

        Web Inspector: SameSite parsing should be stricter
        https://bugs.webkit.org/show_bug.cgi?id=196927
        <rdar://problem/42291601>

--

• Are you seeing otherwise?
• Are you using Safari Technology Preview?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190524/f9b533da/attachment-0001.html>

More information about the webkit-unassigned mailing list