[Webkit-unassigned] [Bug 233128] New: Navigation from CodePen iframe to CodePen top frame makes CodePen servers think the user is not logged in

Mon Nov 15 07:43:24 PST 2021

https://bugs.webkit.org/show_bug.cgi?id=233128

            Bug ID: 233128
           Summary: Navigation from CodePen iframe to CodePen top frame
                    makes CodePen servers think the user is not logged in
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: wilander at apple.com

This tweet https://twitter.com/chriscoyier/status/1459304937230417920?s=21 by Chris Coyier shows in a screencast how clicking to navigate from a cross-site CodePen iframe leads to landing on a CodePen top frame page which shows the user as logged out when they are actually logged in.

Questions to investigate:
1) If the user truly logged out after this navigation or is it just that page load that sees the user as logged out?
2) The iframe obviously will not see the user as logged in since third-party cookies are blocked. Is the iframe changing something in the navigation based on this fact, which in turn makes the landing page believe the user is logged out?
3) Are SameSite cookies at play? We’ve had a couple of bugs historically where SameSite cookie treatment in WebKit differs from Gecko and Chromium for cross-site navigations.
4) Are ServiceWorkers at play? We’ve seen a couple of reports where the combo of SameSite cookies and ServiceWorkers has led to bugs.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211115/3f27b0bb/attachment-0001.htm>