Bug 211180

Summary: 1st party cookies blocked in iframe on 30x redirect with "Prevent cross-site tracking"
Product: WebKit Reporter: Lance H <lance>
Component: FramesAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: bfulgham, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Safari 13   
Hardware: Unspecified   
OS: Unspecified   

Description Lance H 2020-04-29 06:24:32 PDT 
We are experiencing what seems to be a bug related to the new "Prevent cross-site tracking" feature in our application.  The scenario is this:

User is logged into our application, which uses cookies and traditional sessions for authorization.  Our app opens an <iframe> to a 3rd party src (that happens to be a secure payment form for entering confidential payment information).  The payment information is submitted to the third party form using no cookies at all.  Once processing is finished, the third party's server responds with a 302 (or 303, we've tried both) redirecting the <iframe> back to the 1st party's domain.  The <iframe> sends a request to the 1st party domain (matching the top level window's domain), but no cookies are sent along with the redirected request, so the request is seen as unauthorized, since the session cannot be found.

We have no issues with any other browsers and did not have issues with Safari until the recent updates.
Comment 1 Radar WebKit Bug Importer 2020-04-29 18:01:03 PDT 
<rdar://problem/62627006>
Comment 2 John Wilander 2020-04-29 18:34:59 PDT 
Hi!

Thanks for filing! We’re always interested in hearing from developers about our changes.

What you’re reporting is not a bug. See “Cookie Blocking Latch Mode” in our latest blog post: https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/
Comment 3 Brent Fulgham 2022-02-12 23:12:18 PST 
This is behaving properly.