[Webkit-unassigned] [Bug 237350] Web App Added to Home Screen Cookies Deleted After 7 Days
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 2 14:46:39 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=237350
--- Comment #4 from John Wilander <wilander at apple.com> ---
(In reply to ben from comment #3)
> Thanks for replying and supplying the updated blog posts.
>
> This now makes a bit more sense as the app is made with React and so we
> created the cookie on the client-side with Javascript and it is the cookie
> with the authorisation code that was deleted.
>
> However, the cookie domain is for the first-party domain of the app, i.e.
> the app is on app.mydomain.com and the cookie domain is set to mydomain.com,
> does that not mean that it should be exempt or does the fact that it was
> created with Javascript override this?
It doesn't since it's not ITP actively deleting the cookie but rather a policy that all script-written cookies are capped to a max 7-day expiry. It's the expiry mechanism of cookies.
> Also, since the app was opened several times during the 7 day period, in my
> direct testing, shouldn't this have resulted in the cookie not being
> deleted? Or does there have to be an interaction to reset the ITP counter?
Nope. Again, it's the expiry mechanism of the cookie. It works just like if you set the expiry to be 7 days. No other storage mechanism has an expiry which is why those are on a "7 days of browser use without user interaction" timer.
We are aware of the request to make script-written cookies use the "7 days of browser use without user interaction" timer too. Doing that requires extra infrastructure support since after a cookie has been created, there is nothing to distinguish a cookie created in JavaScript and one created by a server (except that only servers can create HttpOnly cookies which is in part why we always advice developers to set any sensitive cookies as HttpOnly).
Login cookies should always be HttpOnly, i.e. not be created or accessible by JavaScript. Script-accessible login cookies are a security anti-pattern since 1) they can be stolen through XSS, and 2) they cannot be kept outside the web content process where Spectre security attacks can happen.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220302/ac3cccf2/attachment.htm>
More information about the webkit-unassigned
mailing list