Bug 214608

I am not sure if this is a real bug or it's just not clear from Safari release notes what should be the expected behavior when we have enabled "Prevent cross-site tracking" in Safari privacy settings.

Reference to release notes: https://developer.apple.com/documentation/safari-release-notes/safari-13_1-release_notes

"Added cookie blocking for all cross-site resources by default."


Demo:

This website here is used for demonstration if a cookie with a flag SameSite=None is created in iframe on 3rd party context: https://animated-caribou.glitch.me 


SiteB is a website loaded in an iframe and it demonstrates what cookies are created inside.

I see different behavior on Catalina and Mojave:

=== Mojave ===

OS version: 10.14.6
Safari version: 13.1.1 (14609.2.9.1.3)
"Prevent cross-site tracking": Enabled
User Agent String: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15

Result SiteB:

1. document.cookie: foo=SiteBCookie; foo2=SiteBNone
2. Cookie on Server: {"foo":"SiteBCookie","foo2":"SiteBNone"}


=== Catalina ===

OS version: 10.15.4
Safari version: Version 13.1 (15609.1.20.111.8)
"Prevent cross-site tracking": Enabled
User Agent String: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15

Result SiteB:

1. document.cookie: 
2. Cookie on Server: {}



Question:

The question is why cookies are not created on Catalina and is this a bug or did Safari decide to block all cookies in such context even if the spec for None says: "Cookies will be sent in all contexts, i.e sending cross-origin is allowed.". Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite