[Webkit-unassigned] [Bug 219650] Cookies set with SameSite=Lax are not sent during redirects in Safari

Fri Apr 23 05:02:18 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=219650

Wilson Page [:wilsonpage] <wilsonpage at me.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |wilsonpage at me.com

--- Comment #6 from Wilson Page [:wilsonpage] <wilsonpage at me.com> ---
I can also confirm this issue.

Since add `SameSite=Lax` to my auth cookies I'm seeing cookies not being sent by Safari to the Stripe Checkout success page.

1. mysite.com/checkout (cookie sent)
2. checkout.stripe.com
3. mysite.com/checkout-success (no cookie sent)

In my log I've seen this with following user-agents:

- Mozilla/5.0 (iPhone; CPU iPhone OS 14_4_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Mobile/15E148

- Mozilla/5.0 (iPhone; CPU OS 14_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/33.0  Mobile/15E148 Safari/605.1.15

- Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15

- Mozilla/5.0 (iPhone; CPU iPhone OS 14_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/87.0.4280.163 Mobile/15E148 Safari/604.1

But I've yet been unable to reproduce this locally :-/ I think my current workaround will be to user-agent sniff and not use the `SameSite` functionality at all for Safari based browsers.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210423/05b2faa5/attachment.htm>