Bug 206643

Summary:

Safari not sending first party cookies in iframe requests

Product:

WebKit

Reporter:

Sam Tannous <stannous>

Component:

Frames

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, beidson, webkit-bug-importer, wilander

Priority:

Keywords:

InRadar

Version:

Safari 13

Hardware:

Mac

OS:

macOS 10.14

Attachments:

Description	Flags
first party cookies not sent in iframe request	none

Description Sam Tannous 2020-01-22 21:29:35 PST

Created attachment 388515 [details]
first party cookies not sent in iframe request

Safari Version 13.0.4 (14608.4.9.1.4)
macOS Version 10.14.6 (18G2022)

Steps to reproduce:

Note that immediately before performing these steps in the video I cleared all cookies and website data and authenticated with the respective domains anew.

1) Visit domain B directly (bbcfamilytest.atlassian.net in the attached video) to set first party session cookies.
2) Visit domain A which contains an iframe src to domain B -> Safari does NOT send the first party cookies along with the iframe's 3rd party src request.

We've reproduced this issue on multiple machines and once reproduced the problem persists indefinitely however it does not occur on every machine even with the same version of Safari.

I've been looking at ITP and Safari's 24 hour limit on first party cookies used in a 3rd party context but none of that explains the issue since I am resetting the cookie and visiting the first party domain before testing. Is it possible that ITP is banning the domain after a period of time and that resetting cookies doesn't reset the counter?

Disabling Safari's "prevent cross-site tracking" feature does not change this behavior. 


Possibly related to https://bugs.webkit.org/show_bug.cgi?id=196592

Comment 1 Radar WebKit Bug Importer 2020-01-22 22:52:19 PST

<rdar://problem/58825423>

Comment 2 John Wilander 2020-01-24 13:39:01 PST

Hi! Thanks for filing. What you're seeing is two different things.

With "Prevent cross-site tracking" enabled, ITP is on and blocks cookies for domains that have cross-site tracking capabilities. The 24 hour window you refer to was removed in 2018 and ITP has seen many updates since. You can read blogposts on all the updates under the Privacy category on the WebKit blog: https://webkit.org/blog/category/privacy/

With "Prevent cross-site tracking" enabled, your path to get cookie access as a third-party iframe is to make use of the Storage Access API. That API has been shipping in Safari for almost two years and is nowadays also available in Firefox with an Edge implementation pending. Brave has expressed interested in supporting the API once Edge has landed it in Chromium.

With "Prevent cross-site tracking" disabled, you are hitting a known bug in Safari 13.0.4 on macOS: https://bugs.webkit.org/show_bug.cgi?id=204109 It is fixed in Safari in the latest macOS betas and in Safari Technology Preview. Please try there.

Comment 3 Sam Tannous 2020-01-29 19:20:35 PST

I verified that it is indeed working again in Safari Technology Preview Release 99 (Safari 13.2, WebKit 14610.1.1)