[Webkit-unassigned] [Bug 237474] Safari ITP deleting same site cookies when Service Worker in place
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Mar 4 09:23:34 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=237474
--- Comment #2 from John Wilander <wilander at apple.com> ---
Hi! Thanks for filing!
Interesting investigation. I don't immediately see how the combo of SW and Private Relay could result in server-set cookies being deleted.
Three things to note though:
· Cookies set in JavaScript expire after 7 days *calendar time*. However, that is not the case for other script-written storage. Those are deleted after 7 days of browser usage without user interaction as first party. It would be good to be explicit about calendar time vs days of use here.
· Cookies set through third-party CNAME cloaking expire after 7 days calendar time. See "CNAME Cloaking Defense" in our documentation: https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp. It would be good to know if third-party CNAME cloaking is at play here.
· HttpOnly being a factor sounds to me like JavaScript may be a factor too. Could it be that these cookies start out server-set but then get re-written in script?
Our guidance is to always set login cookies as HttpOnly, for security reasons. Is there a reason why they can't be HttpOnly? That's not to say there's no bug here, but it's important to know.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220304/df7c5625/attachment.htm>
More information about the webkit-unassigned
mailing list