[Webkit-unassigned] [Bug 233165] New: AWS CloudFront signed cookies got thrown under the bus with the recent iframe/cookie lockdown

Mon Nov 15 19:41:11 PST 2021

https://bugs.webkit.org/show_bug.cgi?id=233165

            Bug ID: 233165
           Summary: AWS CloudFront signed cookies got thrown under the bus
                    with the recent iframe/cookie lockdown
           Product: WebKit
           Version: Safari 15
          Hardware: Mac (Intel)
                OS: macOS 11
            Status: NEW
          Severity: Major
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sam at msgbox.me

Safari prevents CloudFront signed cookies from being transmitted to the server when the web application lives inside an iframe belonging to another domain.

I understand browsers are securing against malicious third-party cookies, but how is an HTTPS cookie a threat?

See references to this issue:

https://github.com/awslabs/unicornflix/issues/15 (long discussion with several developers facing this issue)
https://stackoverflow.com/questions/66445271/aws-signed-cookies-in-an-iframe

As far as I know, Chrome & Firefox do not prevent CloudFront signed cookies from being transmitted to the CloudFront distribution server.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211116/49e9c208/attachment.htm>