[Webkit-unassigned] [Bug 217138] New: Third party cookie not working even when ITP is OFF

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Sep 30 11:52:05 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=217138

            Bug ID: 217138
           Summary: Third party cookie not working even when ITP is OFF
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sarkar.sambit at gmail.com

I am on WKWebView in iOS14. I have ability to disable ITP in app settings as I changed the info.plist with NSCrossWebsiteTrackingUsageDescription. I have first-party context to http://127.0.0.1 and third-party context to https://mydomain.com. So, I load a https domain in iframe from http top-level-domain.  

I host a webapp inside iphone in gcdserver and load that web app from http://127.0.0.1 domain. And then in that loaded app I load another web app in iframe from a remotely hosted website - say https://mydomain.com. So, my first-party context is 127.0.0.1 and my third-party context is mydomain.com. The important thing is I load first-party domain 127.0.0.1 through native URLSession as you see I use proxy to load the webapp. Also, I can intercept xhr calls from locally hosted web app and serve response from iOS-native even if xhr is made to absolute url of different domain. When first-party context (locally hosted webapp at 127.0.0.1) makes an xhr request to mydomain.com, native code intercepts the xhr and sets response cookies in WKWebView cookieStore under mydomain.com before sending response to WKWebView xhr. Now with ITP off, I expect the iframe.src=mydomain.com should attach the cookie I received in first-party context through xhr and was forcefully set to wkwebview store through native code. I think I am missing something. Why iframe.src is not attaching cookies that I already forcefully set in WKWebView cookiestore with iOS networking source code?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200930/746c956b/attachment.htm>

More information about the webkit-unassigned mailing list