[Webkit-unassigned] [Bug 208049] New: Javascript can't access a SameSite=Strict cookie after page is loaded after a redirect from a third party site

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Feb 21 04:48:58 PST 2020 

https://bugs.webkit.org/show_bug.cgi?id=208049

            Bug ID: 208049
           Summary: Javascript can't access a SameSite=Strict cookie after
                    page is loaded after a redirect from a third party
                    site
           Product: WebKit
           Version: Safari 13
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: alekseipetrov at spotify.com

Steps to reproduce:

Users visit https://some-integration.com
GET https://some-integration.com HTTP/1.1

Because they're not logged in, user-agent redirects to https://accounts.spotify.com/authorize (standard OAuth 2.0 flow).
HTTP/1.1 302 Found
Location: https://accounts.spotify.com/authorize?client_id=<client_id>&redirect_uri=https%3A%2F%2Fsome-integration.com%2Fsuccess

https://accounts.spotify.com/authorize returns the html form (for user to approve scopes) and sets csrf_token cookie.
GET https://accounts.spotify.com/login?continue=https://*.spotify.net HTTP/1.1

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Set-Cookie: csrf_token=<omitted>; Domain=.accounts.spotify.com; Path=/; Secure; SameSite=Strict
...

Actual results:

JS call document.cookie doesn't contain csrf_token cookie.

Expected results:

JS call document.cookie contains csrf_token=<omitted>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200221/18ac6b1d/attachment-0001.htm>

More information about the webkit-unassigned mailing list