[Webkit-unassigned] [Bug 210612] New: Download Linked File does not provide cookie if SameSite=Lax

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Apr 16 10:52:21 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=210612

            Bug ID: 210612
           Summary: Download Linked File does not provide cookie if
                    SameSite=Lax
           Product: WebKit
           Version: Safari 13
          Hardware: Macintosh
                OS: macOS 10.15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ottenhoff at longsight.com

Observed by educational institutions using learning management software (LMS) with Safari 13.1 on macOS 10.15.4. All users must authenticate to the system. Session state is maintained via a cookie with "SameSite=Lax;Secure". Instructors upload files like syllabus.pdf and user must be authenticated to download the file. User cannot download syllabus.pdf via "Download Linked File" as the SameSite=Lax cookie is not presented to the server.

Proof of concept here: https://samesite.longsight.com/index.php. Reload after first view and the cookies presented to server will be displayed. Use "Download Linked File" and view as text to see what cookies (none) were sent to server.

This is same domain only, HTTPS only, and a very common use case in an authenticated learning management system.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200416/f08ddead/attachment.htm>

More information about the webkit-unassigned mailing list