Bug 210612

Summary: Download Linked File does not provide cookie if SameSite=Lax
Product: WebKit Reporter: Sam Ottenhoff <ottenhoff>
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: achristensen, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari 13   
Hardware: Mac   
OS: macOS 10.15   

Description Sam Ottenhoff 2020-04-16 10:52:21 PDT 
Observed by educational institutions using learning management software (LMS) with Safari 13.1 on macOS 10.15.4. All users must authenticate to the system. Session state is maintained via a cookie with "SameSite=Lax;Secure". Instructors upload files like syllabus.pdf and user must be authenticated to download the file. User cannot download syllabus.pdf via "Download Linked File" as the SameSite=Lax cookie is not presented to the server.

Proof of concept here: https://samesite.longsight.com/index.php. Reload after first view and the cookies presented to server will be displayed. Use "Download Linked File" and view as text to see what cookies (none) were sent to server.

This is same domain only, HTTPS only, and a very common use case in an authenticated learning management system.
Comment 1 Radar WebKit Bug Importer 2020-04-17 12:49:15 PDT 
<rdar://problem/61946588>
Comment 2 Alex Christensen 2020-05-15 16:42:36 PDT 
Thank you for reporting this.  Your proof of concept uses SameSite=Strict, not SameSite=Lax, but it led me to a good fix.  SameSite=Strict cookies were indeed not being sent.
Unfortunately, you won't see the fix here because the problematic code is not in open source WebKit.
If you're really enthusiastic about this bug, could you verify that the bug does not reproduce on iOS, and that the bug is fixed in an upcoming Safari Technology Preview?  I can't give you an exact time frame, but it's most likely that you'll see the fix there before anywhere else.
Comment 3 Sam Ottenhoff 2020-05-15 16:57:06 PDT 
* I fixed my proof of concept to only send the Lax cookie. 

* I tested on iOS 13.4.1 Safari and both cookies (Strict and Lax) are sent as expected when using Download Linked File.
Comment 4 Alex Christensen 2020-05-15 21:10:21 PDT 
Great!  Using your updated proof of concept I verified that SameSite=Lax and SameSite=Secure cookies are both fixed by the same non-open-source fix.