[Webkit-unassigned] [Bug 208049] New: Javascript can't access a SameSite=Strict cookie after page is loaded after a redirect from a third party site
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Feb 21 04:48:58 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=208049
Bug ID: 208049
Summary: Javascript can't access a SameSite=Strict cookie after
page is loaded after a redirect from a third party
site
Product: WebKit
Version: Safari 13
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: New Bugs
Assignee: webkit-unassigned at lists.webkit.org
Reporter: alekseipetrov at spotify.com
Steps to reproduce:
Users visit https://some-integration.com
GET https://some-integration.com HTTP/1.1
Because they're not logged in, user-agent redirects to https://accounts.spotify.com/authorize (standard OAuth 2.0 flow).
HTTP/1.1 302 Found
Location: https://accounts.spotify.com/authorize?client_id=<client_id>&redirect_uri=https%3A%2F%2Fsome-integration.com%2Fsuccess
https://accounts.spotify.com/authorize returns the html form (for user to approve scopes) and sets csrf_token cookie.
GET https://accounts.spotify.com/login?continue=https://*.spotify.net HTTP/1.1
HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Set-Cookie: csrf_token=<omitted>; Domain=.accounts.spotify.com; Path=/; Secure; SameSite=Strict
...
Actual results:
JS call document.cookie doesn't contain csrf_token cookie.
Expected results:
JS call document.cookie contains csrf_token=<omitted>
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200221/18ac6b1d/attachment-0001.htm>
More information about the webkit-unassigned
mailing list