[Webkit-unassigned] [Bug 204498] Server side HTTP Cookie in iframe is not accepted
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Nov 22 15:47:13 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=204498
--- Comment #1 from John Wilander <wilander at apple.com> ---
Hi Eric! Thanks for your report.
The case you describe is actually blocked by default by Safari and WebKit on Cocoa platforms. It's the underlying cookie policy that enforces that a website without existing cookies cannot set cookies when it is a third-party resource. This default cookie policy has been in effect for 16 years in Safari.
When you turn off ITP, you also change the cookie policy to an "accept all" policy. That's why the cookie gets accepted under that setting.
Both the default cookie policy and ITP are privacy features which explains why they both are under the same Safari setting called "Prevent cross-site tracking."
As for cookies being accepted if they are Secure and HttpOnly, that's a misunderstanding. What you are referring to is the 7-day cap on expiry of cookies set through JavaScript. If you don't want your cookies to have a 7-day lifetime, you need to set them server-side and that's where we also advise you to make sure that cookie is Secure and HttpOnly. Such cookies have much better security and privacy guarantees and are more likely to be accepted by browsers' privacy protections.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191122/100ebf0a/attachment.htm>
More information about the webkit-unassigned
mailing list