[Webkit-unassigned] [Bug 149551] [SOUP] Slack.com is not working, new messages do not load due to WebSocket authentication failure issue

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 25 08:39:39 PDT 2020


https://bugs.webkit.org/show_bug.cgi?id=149551

--- Comment #27 from Michael Catanzaro <mcatanzaro at gnome.org> ---
I don't think WebSockets should be treated as a top site navigation. That doesn't sound right.

(In reply to Carlos Garcia Campos from comment #26)
> Maybe it's a WebKit bug that should mark the websocket request as same site?

app.slack.com and wss-primary.slack.com have the same registrable domain (top privately-controlled domain), slack.com, so they should be treated as the same site for purposes of cookie policy. That is, wss-primary.slack.com should be allowed to receive cookies even if the request is SameSite=Lax or SameSite=Strict.

The cookie's Domain attribute of course has to match for the cookie to be sent in the request. In this case, Domain is set to .slack.com, so it does.

libsoup used to be stricter than any browser in using the full domain rather than registrable domain, but that was not web-compatible, so I changed it: https://gitlab.gnome.org/GNOME/libsoup/-/commit/d5952f2ff3a89e8ed19826ca3ace72078b9b1ed6. WebKit should match that behavior.

There's a complicated draft spec for this here: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-5.2

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200925/381d252f/attachment.htm>


More information about the webkit-unassigned mailing list