Bug 206643

Summary: Safari not sending first party cookies in iframe requests
Product: WebKit Reporter: Sam Tannous <stannous>
Component: FramesAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Safari 13   
Hardware: Mac   
OS: macOS 10.14   
Attachments:
Description Flags
first party cookies not sent in iframe request none

Sam Tannous
Reported 2020-01-22 21:29:35 PST
Created attachment 388515 [details] first party cookies not sent in iframe request Safari Version 13.0.4 (14608.4.9.1.4) macOS Version 10.14.6 (18G2022) Steps to reproduce: Note that immediately before performing these steps in the video I cleared all cookies and website data and authenticated with the respective domains anew. 1) Visit domain B directly (bbcfamilytest.atlassian.net in the attached video) to set first party session cookies. 2) Visit domain A which contains an iframe src to domain B -> Safari does NOT send the first party cookies along with the iframe's 3rd party src request. We've reproduced this issue on multiple machines and once reproduced the problem persists indefinitely however it does not occur on every machine even with the same version of Safari. I've been looking at ITP and Safari's 24 hour limit on first party cookies used in a 3rd party context but none of that explains the issue since I am resetting the cookie and visiting the first party domain before testing. Is it possible that ITP is banning the domain after a period of time and that resetting cookies doesn't reset the counter? Disabling Safari's "prevent cross-site tracking" feature does not change this behavior. Possibly related to https://bugs.webkit.org/show_bug.cgi?id=196592
Attachments
first party cookies not sent in iframe request (18.71 MB, video/quicktime)
2020-01-22 21:29 PST, Sam Tannous 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-01-22 22:52:19 PST
<rdar://problem/58825423>
John Wilander
Comment 2 2020-01-24 13:39:01 PST
Hi! Thanks for filing. What you're seeing is two different things. With "Prevent cross-site tracking" enabled, ITP is on and blocks cookies for domains that have cross-site tracking capabilities. The 24 hour window you refer to was removed in 2018 and ITP has seen many updates since. You can read blogposts on all the updates under the Privacy category on the WebKit blog: https://webkit.org/blog/category/privacy/ With "Prevent cross-site tracking" enabled, your path to get cookie access as a third-party iframe is to make use of the Storage Access API. That API has been shipping in Safari for almost two years and is nowadays also available in Firefox with an Edge implementation pending. Brave has expressed interested in supporting the API once Edge has landed it in Chromium. With "Prevent cross-site tracking" disabled, you are hitting a known bug in Safari 13.0.4 on macOS: https://bugs.webkit.org/show_bug.cgi?id=204109 It is fixed in Safari in the latest macOS betas and in Safari Technology Preview. Please try there.
Sam Tannous
Comment 3 2020-01-29 19:20:35 PST
I verified that it is indeed working again in Safari Technology Preview Release 99 (Safari 13.2, WebKit 14610.1.1)
Note You need to log in before you can comment on or make changes to this bug.