[Webkit-unassigned] [Bug 214608] New: Cookie with SameSite=None not created in an iframe on Catalina but works fine in Mojave

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 21 11:53:49 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=214608

            Bug ID: 214608
           Summary: Cookie with SameSite=None not created in an iframe on
                    Catalina but works fine in Mojave
           Product: WebKit
           Version: Safari 13
          Hardware: Macintosh
                OS: macOS 10.15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: tstoyche at akamai.com

I am not sure if this is a real bug or it's just not clear from Safari release notes what should be the expected behavior when we have enabled "Prevent cross-site tracking" in Safari privacy settings.

Reference to release notes: https://developer.apple.com/documentation/safari-release-notes/safari-13_1-release_notes

"Added cookie blocking for all cross-site resources by default."


Demo:

This website here is used for demonstration if a cookie with a flag SameSite=None is created in iframe on 3rd party context: https://animated-caribou.glitch.me 


SiteB is a website loaded in an iframe and it demonstrates what cookies are created inside.

I see different behavior on Catalina and Mojave:

=== Mojave ===

OS version: 10.14.6
Safari version: 13.1.1 (14609.2.9.1.3)
"Prevent cross-site tracking": Enabled
User Agent String: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15

Result SiteB:

1. document.cookie: foo=SiteBCookie; foo2=SiteBNone
2. Cookie on Server: {"foo":"SiteBCookie","foo2":"SiteBNone"}


=== Catalina ===

OS version: 10.15.4
Safari version: Version 13.1 (15609.1.20.111.8)
"Prevent cross-site tracking": Enabled
User Agent String: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15

Result SiteB:

1. document.cookie: 
2. Cookie on Server: {}



Question:

The question is why cookies are not created on Catalina and is this a bug or did Safari decide to block all cookies in such context even if the spec for None says: "Cookies will be sent in all contexts, i.e sending cross-origin is allowed.". Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200721/84ff1cda/attachment.htm>

More information about the webkit-unassigned mailing list