Bug 215603

Summary:

couldn't get cookie by js, and the cookie from a request header which including set-cookie

Product:

WebKit

Reporter:

Xin-U, Liu <cacocacoon>

Component:

New Bugs

Assignee:

Nobody <webkit-unassigned>

Status:

NEW ---

Severity:

Major

CC:

achristensen, beidson, cdumez, webkit-bug-importer, wilander

Priority:

Keywords:

InRadar

Version:

Safari 13

Hardware:

All

OS:

macOS 10.15

Attachments:

Description	Flags
my test website page	cacocacoon: review-, cacocacoon: commit-queue-

Description Xin-U, Liu 2020-08-18 04:52:02 PDT

Created attachment 406777 [details]
my test website page

Hi,

I found a cookie bug which behavior is weird, and it happens on safari and chrome on iOS device

current behavior:
1. open safari, and set safari preferences of "safari opens with" to "all windows from last session"
2. create new page like below attachment
3. create a new tab than making a request to server on the page, server responses data which includes set-cookie header like below

`
Set-Cookie: XSRF-TOKEN=767e3675-d094-4af5-a9ab-330529151523; Domain=fleet.dev.aaa.com; Path=/; Secure; SameSite=Strict
`
and obviously I can read XSRF-TOKEN by calling `document.cookie`
4. close whole browser by using shortcut key `command + Q`, and open safari again
5. then call the request again, server also responses data which includes set-cookie header like below
`
Set-Cookie: XSRF-TOKEN=767e3675-d094-4af5-a9ab-330529151523; Domain=fleet.dev.aaa.com; Path=/; Secure; SameSite=Strict
`
6. and you will find that js can't read XSRF-TOKEN by calling `document.cookie`

I found that js can't read XSRF-TOKEN because the page restored from last session, but js can read XSRF-TOKEN because the page opened from a whole new tab

Comment 1 Radar WebKit Bug Importer 2020-08-18 09:21:51 PDT

<rdar://problem/67331868>

Comment 2 John Wilander 2020-08-18 09:57:14 PDT

This sounds like something CFNetwork should look at. Or possibly Chris Dumez with the recent changes to document.cookie.

Comment 3 Xin-U, Liu 2020-08-18 19:02:09 PDT

If calling same request again, which includes the XSRF-TOKEN cookie, but not show on web inspector

Comment 4 Xin-U, Liu 2020-08-19 20:47:53 PDT

Comment on attachment 406777 [details]
my test website page

delete

Comment 5 Xin-U, Liu 2020-09-03 03:49:31 PDT

Hi,
I was stuck by this issue for a long time.
Does anyone have any feedback?

Comment 6 Brady Eidson 2020-09-04 09:38:04 PDT

(In reply to Xin-U, Liu from comment #5)
> Hi,
> I was stuck by this issue for a long time.
> Does anyone have any feedback?

If you had a live test case that worked as expected in another browser but is broken in Safari, that'd go a long way in helping to explore it.