[Webkit-unassigned] [Bug 219650] Cookies set with SameSite=Lax are not sent during redirects in Safari
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Apr 23 10:12:42 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=219650
--- Comment #7 from Wilson Page [:wilsonpage] <wilsonpage at me.com> ---
I just managed to reproduce this on latest desktop Safari (14.0.3 (16610.4.3.1.7)).
Facts:
- The cookie was missing on the first page request when Stripe navigates from checkout.stripe.com => mysite.com causing broken checkout flow.
- The issue is resolved when removing 'SameSite=Lax' flag from set-cookie header.
- I wasn't able to repro on localhost, perhaps due to not using 'Secure' flag?
- Devtools were closed during my repro (unsure if this is related)
I'm now user-agent sniffing and not including 'SameSite=Lax' for all Safari based browsers.
---
In order to produce a reduced test case we'd need to use two domains. It would likely look like this:
1. Load site1.com/ and set-cookie with `Secure` and `SameSite=Lax`
2. Click link and load site2.com/ page
3. Click link to site1.com/callback page
4. Print inbound `cookie` header
5. Observe missing cookie
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210423/747fa8b4/attachment.htm>
More information about the webkit-unassigned
mailing list