[Webkit-unassigned] [Bug 226386] New: Same-site lax cookies not sent by fetch event handler after page reload

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri May 28 11:44:39 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=226386

            Bug ID: 226386
           Summary: Same-site lax cookies not sent by fetch event handler
                    after page reload
           Product: WebKit
           Version: Safari 14
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Service Workers
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: steffen.weber at gmail.com

Requests sent by Safari lack SameSite=Lax cookies when a service worker with a fetch event handler is involved.

How to reproduce:

1. Fetch a SameSite=Lax demo cookie by visiting https://www.computerbase.de/api/samesite-demo-cookie (*)
2. Search Google for "computerbase"
3. Open the "Network" tab of the developer tools
4. Click on the search result that leads to our homepage (may not the first one depending on your location)
5. In the "Network" tab, find the "document" request and have a look at the cookies sent by Safari. For now, the "samesite-demo-cookie" is there.
6. Now reload our homepage. (Maybe this causes our Service Worker to fully initialize / activate?)
7. Repeat steps 2-4. Now the cookie doesn't get sent anymore.

(*) I've created this script because other cookies set by ComputerBase don't use SameSite=Lax in Safari anymore because of this bug.

The fetch event handler of our service worker doesn't handle all requests, for some requests it just returns "null" to let the browser handle the request (as if the service worker didn't exist). For example, the fetch event handler of our service worker returns "null" for all forum URLs (all URLs starting with "https://www.computerbase.de/forum/"). It turns out that forum URLs have no problem with same-site cookies: When I click on the search results entry for our forum (should be displayed when searching for "computerbase", if not then search for "computerbase forum") then the same-site demo cookie is always there as expected. If I then go back to the SERP and click on our homepage link again, the cookie is missing. Go back to the SERP and click on our forum link again, the cookie is there again. And so on...

So we have the following: 1) Same-site cookie is sent to our homepage on first try, bot not anymore after one or two reloads (probably after the service-worker has been initialized and our fetch event handler is used). 2) Same-site cookie is always sent to our forum pages who are ignored by the fetch event handler.

I think the combination of these two observations indicates that there is an issue with same-site cookies for requests sent by the fetch event handler.

Split from Bug #219650 as suggested by John Wilander.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210528/d2e662ec/attachment.htm>

More information about the webkit-unassigned mailing list