[Webkit-unassigned] [Bug 233128] Navigation from CodePen iframe to CodePen top frame makes CodePen servers think the user is not logged in

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 16 07:03:02 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=233128

--- Comment #3 from Chris Coyier <chriscoyier at gmail.com> ---

> > 1) They are definitely logged out. There is a cookie called `cp_session`
> > that just gets wiped out after the link click. https://d.pr/i/bVoA1A
> 
> Is the cookie deleted, you say? Is it the server that deletes it or
> overwrites it with a new one?
> 
> What I would assume here is one of these things happening:
> 
> a) The navigation from the iframe to the top frame doesn't carry the
> SameSite=lax cookie and so the resulting page load shows the user as logged
> out. However, a fresh of that page would show the user as logged in again
> because now the SameSite=lax cookie is sent.
> 
> b) The navigation from the iframe to the top frame doesn't carry the
> SameSite=lax cookie and the server deletes/overwrites some state in the
> response based on thinking that the user is not logged in. Even a fresh of
> the page will show the user as logged out because now their login cookie is
> indeed gone or overwritten.

It's `b` here. Refreshing the page the user is still logged out. 


Here's the steps to check it out...

1) Be logged in on CodePen. Accounts are free so I hope that's not too much trouble. Be at some page. Any should do, but here's one: https://codepen.io/manz/pen/dyzgWbo

2) Go to a third-party site with an Embedded Pen, like this https://css-tricks.com/almanac/properties/b/background-image/#demo

3) Click the "Edit on CodePen" link in the upper right of the embed.

4) You'll find yourself logged out on CodePen. If you got back to the page you had open in Step 1 and refresh, you'll see you are logged out there too. No amount of refreshing logs you in. 


> 
> Some follow-up questions:
> 
> 5) To make sure, is the `cp_session` cookie …
>  a) … just not sent in the navigation but still there on a reload or fresh
> load?
>  b) … deleted by WebKit during the navigation?
>  c) … deleted by the server in the navigational response? Deleted here means
> set to an expiry in the past.
>  d) … overwritten by the server in the navigational response?

I gotta imagine it's b, because if it was our servers, it would manifest in browsers other than Safari. 


> 6) Are there any cross-site redirects in the navigation or does it go
> directly to the destination site?
> 
> 7) Are there any same-site redirects in the navigation does it got directly
> to the destination page?

To both 6 and 7, no redirects at all, It's just a straight-up anchor link that goes to where it goes. 

> 
> 8) Can you share the link to reproduce the issue?

See steps above.

Anything else I can dig into lemme know.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211116/cca7fc33/attachment.htm>

More information about the webkit-unassigned mailing list