[Webkit-unassigned] [Bug 228261] New: cookies with SameSite information are never sent for “unofficial” or new TLDs in iOS-12.x for non-toplevel requests

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 23 18:01:41 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=228261

            Bug ID: 228261
           Summary: cookies with SameSite information are never sent for
                    “unofficial” or new TLDs in iOS-12.x for non-toplevel
                    requests
           Product: WebKit
           Version: Other
          Hardware: iPhone / iPad
                OS: Other
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ohnobinki at ohnopublishing.net

In iOS-12.5.3, if I connect to a site with a name such as “blah.not-a-tld” (using a custom local DNS setup) and then issue cookies to Mobile Safari with any SameSite specified (for example, SameSite=Lax), then these cookies are only sent for toplevel requests. They are omitted from XHR.

I suspect that that version of Safari does not have r245299 which changes how areRegistrableDomainsEqual() handles domain names not in the hardcoded TLD list shipped with iOS. I suspect that, prior to r245299, the effective cookie site URI is the empty string. After that change, the effective cookie site will be the entire host (because of the domain.isEmpty() check added in registrableDomainFromHost() by that changeset).

To reproduce:

1. Produce a webserver issuing a header such as Set-Cookie: c=1; Path=/; SameSite=Lax such as with the following command: node -e "require('http').createServer((req, res) => {console.log(req.headers); res.writeHead(200, {'Set-Cookie': 'c=1; Path=/; HttpOnly; SameSite=Lax', 'Cache-Control': 'no-cache', 'Content-Type': 'text/html; charset=utf-8'}).end('<html>');}).listen(3000)"
2. Configure your network and iPod running iOS-12.5.3 (latest for iPod6) such that the host blah.not-a-tld resolves to your server. For example, add an entry the server’s /etc/hosts and run dnsmasq on the server and then set custom DNS servers pointing to your sever in your iPod’s network settings.
3. On the iPod, navigate to http://blah.not-a-tld:3000/.
4. Using Web Inspector from Safari Technology Preview on a Mac OS X machine, run fetch('http://blah.not-a-tld:3000/', { credentials: 'include', }) twice.

Expected results:

The second time the fetch is run, the request should send the cookie. This will be visible to the server and via Web Inspector.

Actual results:

The second time the fetch is run, the cookie is not sent.

If SameSite is removed entirely from the Set-Cookie header, the cookie is sent.

If top-level navigation is performed (e.g., reload the page or renavigate to it in Mobile Safari), the cookie is sent.

The problem is not reproducible in iOS-14.6.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210724/2d21d71c/attachment.htm>

More information about the webkit-unassigned mailing list