[Webkit-unassigned] [Bug 198181] Cookies with SameSite=None or SameSite=invalid treated as Strict
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 23 08:09:07 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=198181
--- Comment #44 from John Wilander <wilander at apple.com> ---
(In reply to ChristianV from comment #43)
> Does it mean that SPA Applications calling third-party APIs (with proper
> CORS set-up) that rely on cookies to properly work are broken ?
> Something like the drawing to give you an idea.
>
>
> abc.com api.net
> +---------------+
> +----------+ | |
> | | (Ajax Requesto to API) | |
> | | +------------------------------------------> | |
> | | origin: abc.com | |
> | | | |
> | | (API Response with Cookie) | |
> | | <-------------------------------------------+ | |
> | | Access|Control|Allow|Credentials: true | |
> | | Access-Control-Allow-Origin: https://abc.com | |
> | | Cookie: myCookie ; domain=api.net | |
> +----------+ +---------------+
Hi! The scenario you are describing has never been supported under Safari’s default cookie policy. Between 2003 and 2017, api.net would have to be visited as first party website and set cookies as such before it could use cookies as third party.
Between 2017 and March 2020, if api.net was used under multiple different websites, it would be blocked from third-party cookies even if it had been visited as first party website.
As of March 2020, all third party cookies are blocked unconditionally and the third party needs to call the Storage Access API to ask for the user’s permission to use cookies.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200923/de61a938/attachment-0001.htm>
More information about the webkit-unassigned
mailing list