[Webkit-unassigned] [Bug 233165] New: AWS CloudFront signed cookies got thrown under the bus with the recent iframe/cookie lockdown
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Nov 15 19:41:11 PST 2021
https://bugs.webkit.org/show_bug.cgi?id=233165
Bug ID: 233165
Summary: AWS CloudFront signed cookies got thrown under the bus
with the recent iframe/cookie lockdown
Product: WebKit
Version: Safari 15
Hardware: Mac (Intel)
OS: macOS 11
Status: NEW
Severity: Major
Priority: P2
Component: Frames
Assignee: webkit-unassigned at lists.webkit.org
Reporter: sam at msgbox.me
Safari prevents CloudFront signed cookies from being transmitted to the server when the web application lives inside an iframe belonging to another domain.
I understand browsers are securing against malicious third-party cookies, but how is an HTTPS cookie a threat?
See references to this issue:
https://github.com/awslabs/unicornflix/issues/15 (long discussion with several developers facing this issue)
https://stackoverflow.com/questions/66445271/aws-signed-cookies-in-an-iframe
As far as I know, Chrome & Firefox do not prevent CloudFront signed cookies from being transmitted to the CloudFront distribution server.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211116/49e9c208/attachment.htm>
More information about the webkit-unassigned
mailing list