[Webkit-unassigned] [Bug 245275] New: submitting html contact form with csrf cookie

Fri Sep 16 07:36:51 PDT 2022

https://bugs.webkit.org/show_bug.cgi?id=245275

            Bug ID: 245275
           Summary: submitting html contact form with csrf cookie
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: wgordonw1 at gmail.com

There are legitimate use cases for contact/feedback/survey/etc forms to be hosted on one domain and shared amongst many partner domains.

The current ITP workflow makes this very difficult and prevents a seamless experience.

Please consider allowing user initiated form submissions (i.e. from clicking a "submit" button) from third party iFrames to submit with CSRF cookies.  Surely basic html forms don't need to be restricted so aggressively that they prevent this use case?  Perhaps cookies could be forced as HttpOnly in third-party context for forms?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220916/a6d967f0/attachment.htm>