[Webkit-unassigned] [Bug 219150] New: Safari does not allow first-party JS cookie to be set after SSO flow
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 19 01:56:19 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=219150
Bug ID: 219150
Summary: Safari does not allow first-party JS cookie to be set
after SSO flow
Product: WebKit
Version: Safari 14
Hardware: iPhone / iPad
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: New Bugs
Assignee: webkit-unassigned at lists.webkit.org
Reporter: lukas.roellin at swisscom.com
Hi
We have a web app, https://tv.blue.ch/. Users can log in via SSO (OAuth), but there is also a developer login which does not go over any other page (it logs in directly).
We have a bug since iOS 14
The flow is the following:
1. Obtain session token,
1. Normal SSO Flow: we get SSO token, send that to our backend, and receive a session token
2. Dev Flow: the user enters the session token directly into our app
2. Save the session token via `document.cookie = 'session=...'
We have found the following behavior:
- When users go to our page, log in via SSO and then come back, our JS cookies (document.cookie = ...) are _not_ set
- When dev users go to our page, log in via directly entering a session token via a hidden form, the cookies are set
The SSO flow sends the users to another page, which has a callback URL back to our page (see 1.1 above).
Note that we are only interested in cookies set by our own app! We do not care about any cookies set during the SSO flow. We think we're triggering some tracking protection.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201119/a0a333cd/attachment-0001.htm>
More information about the webkit-unassigned
mailing list