[Webkit-unassigned] [Bug 233128] Navigation from CodePen iframe to CodePen top frame makes CodePen servers think the user is not logged in

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=233128

--- Comment #5 from John Wilander <wilander at apple.com> ---
Sorry for the delay.

# Part 1

I have now confirmed that:
1) If I change the cp_session to SameSite=none, I land as logged in.
2) The cp_session cookie is refreshed on every page load which means that it is reset as SameSite=lax as soon as I load a CodePen page after manually changing it to SameSite=none.
3) The navigation that blocks SameSite=lax cookies also blocks new cookies set as SameSite=lax so even though the cross-site navigation lands me as logged in, the next page load from CodePen has me logged out because the server tried to set a new SameSite=lax cp_session cookie and that was blocked.

This points in two directions:

a) It's highly unlikely that WebKit is *deleting* any cookies. I mentioned this before. The test results instead point to CodePen servers setting a new cp_session cookie on every page load which overwrites the old cookie.

b) WebKit is blocking SameSite=lax cookies in the cross-site navigation from css-tricks.com to codepen.io. This may be different behavior from Gecko and Chromium. The result is that the server doesn't get the cp_session cookie on the navigation and sets a new cookie state on the response that represents an unknown or logged out user.

# Part 2

The link on css-tricks.com looks like this:
<a class="edit-on-codepen" target="_blank" rel="noopener" href="https://codepen.io/team/css-tricks/pen/ogqWJL" title="Edit on CodePen">…</a>

If I change the target from _blank to _top, I stay logged in. That's where I will continue this investigation.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211207/192b0031/attachment.htm>