[Webkit-unassigned] [Bug 233128] Navigation from CodePen iframe to CodePen top frame makes CodePen servers think the user is not logged in

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Nov 15 16:23:20 PST 2021


--- Comment #2 from John Wilander <wilander at apple.com> ---
(In reply to Chris Coyier from comment #1)
> Thanks so much for opening this John! Indeed this is a weird bug we've been
> trying to track down without luck so far. To answer the questions....
> 1) They are definitely logged out. There is a cookie called `cp_session`
> that just gets wiped out after the link click. https://d.pr/i/bVoA1A

Is the cookie deleted, you say? Is it the server that deletes it or overwrites it with a new one?

What I would assume here is one of these things happening:

a) The navigation from the iframe to the top frame doesn't carry the SameSite=lax cookie and so the resulting page load shows the user as logged out. However, a fresh of that page would show the user as logged in again because now the SameSite=lax cookie is sent.

b) The navigation from the iframe to the top frame doesn't carry the SameSite=lax cookie and the server deletes/overwrites some state in the response based on thinking that the user is not logged in. Even a fresh of the page will show the user as logged out because now their login cookie is indeed gone or overwritten.

> 2) Yeah there is no need to attempt to see if a user is logged in or not
> with the embed itself.
> 3) Looks like SameSite = Lax (is this the culprit?)

It could be. We've had cases where our logic for SameSite (lax or strict) cookies has differed from Gecko and Chromium. Sometimes there is no standardized test so it's a case of a de facto standard. See this one for instance: https://bugs.webkit.org/show_bug.cgi?id=208049

> 4) No ServiceWorkers in use.

Good to know.

Some follow-up questions:

5) To make sure, is the `cp_session` cookie …
 a) … just not sent in the navigation but still there on a reload or fresh load?
 b) … deleted by WebKit during the navigation?
 c) … deleted by the server in the navigational response? Deleted here means set to an expiry in the past.
 d) … overwritten by the server in the navigational response?

6) Are there any cross-site redirects in the navigation or does it go directly to the destination site?

7) Are there any same-site redirects in the navigation does it got directly to the destination page?

8) Can you share the link to reproduce the issue?


You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211116/170e35f9/attachment.htm>

More information about the webkit-unassigned mailing list