[Webkit-unassigned] [Bug 257965] REGRESSION (iOS 16.4): Safari occasionally locks up and stops completing XHR requests

Thu Jun 15 08:31:07 PDT 2023

https://bugs.webkit.org/show_bug.cgi?id=257965

--- Comment #4 from Nick M <webkit-bugzilla at cuzzo.net> ---
Hey there, I think we may have a lead on what could be causing the issue.

While researching the issue we found this article[1] talking about changes to how cookies are handled in iOS 16.4, specifically surrounding third party cookies and cookies using ‘CNAME cloaking.’ That article links to this Webkit PR[2] which discusses the change in detail. 

Our application uses Okta as an Identity Provider, and utilizes the function ‘getWithoutPrompt’ in their SDK. According to their docs[3], this function is known to cause issues when it comes to third party cookie tracking prevention. Additionally, we use a CNAME record on our domain to direct traffic to Okta.

>From what we’ve seen, the cookie is not being dropped from requests so we don’t believe the Okta method is broken or just being caught by tracking prevention. We are wondering if a bug was introduced with the iOS 16.4 change that is being triggered by our usage of Okta. 

We also found a post on the Apple community forums[4] that feels like the same behavior we’re seeing in our application.

[1] https://www.imore.com/security/apples-secret-safari-cookie-crackdown-could-have-unintended-consequences-for-your-logins

[2] https://github.com/WebKit/WebKit/pull/5347

[3] https://github.com/okta/okta-auth-js#third-party-cookies

[4] https://discussions.apple.com/thread/254879217

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230615/5a38f7a2/attachment.htm>