[Webkit-unassigned] [Bug 219150] New: Safari does not allow first-party JS cookie to be set after SSO flow

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=219150

            Bug ID: 219150
           Summary: Safari does not allow first-party JS cookie to be set
                    after SSO flow
           Product: WebKit
           Version: Safari 14
          Hardware: iPhone / iPad
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: lukas.roellin at swisscom.com

Hi

We have a web app, https://tv.blue.ch/. Users can log in via SSO (OAuth), but there is also a developer login which does not go over any other page (it logs in directly).

We have a bug since iOS 14

The flow is the following:

1. Obtain session token,
  1. Normal SSO Flow: we get SSO token, send that to our backend, and receive a session token
  2. Dev Flow: the user enters the session token directly into our app
2. Save the session token via `document.cookie = 'session=...'

We have found the following behavior:

- When users go to our page, log in via SSO and then come back, our JS cookies (document.cookie = ...) are _not_ set
- When dev users go to our page, log in via directly entering a session token via a hidden form, the cookies are set

The SSO flow sends the users to another page, which has a callback URL back to our page (see 1.1 above).

Note that we are only interested in cookies set by our own app! We do not care about any cookies set during the SSO flow. We think we're triggering some tracking protection.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201119/a0a333cd/attachment-0001.htm>