Bug 215603

Summary:

couldn't get cookie by js, and the cookie from a request header which including set-cookie

Product:

WebKit

Reporter:

Xin-U, Liu <cacocacoon>

Component:

New Bugs

Assignee:

Nobody <webkit-unassigned>

Status:

NEW

Severity:

Major

CC:

achristensen, beidson, cdumez, webkit-bug-importer, wilander

Priority:

Keywords:

InRadar

Version:

Safari 13

Hardware:

All

OS:

macOS 10.15

Attachments:

Description	Flags
my test website page	cacocacoon: review-, cacocacoon: commit-queue-

Xin-U, Liu

Reported 2020-08-18 04:52:02 PDT

Created attachment 406777 [details] my test website page Hi, I found a cookie bug which behavior is weird, and it happens on safari and chrome on iOS device current behavior: 1. open safari, and set safari preferences of "safari opens with" to "all windows from last session" 2. create new page like below attachment 3. create a new tab than making a request to server on the page, server responses data which includes set-cookie header like below ` Set-Cookie: XSRF-TOKEN=767e3675-d094-4af5-a9ab-330529151523; Domain=fleet.dev.aaa.com; Path=/; Secure; SameSite=Strict ` and obviously I can read XSRF-TOKEN by calling `document.cookie` 4. close whole browser by using shortcut key `command + Q`, and open safari again 5. then call the request again, server also responses data which includes set-cookie header like below ` Set-Cookie: XSRF-TOKEN=767e3675-d094-4af5-a9ab-330529151523; Domain=fleet.dev.aaa.com; Path=/; Secure; SameSite=Strict ` 6. and you will find that js can't read XSRF-TOKEN by calling `document.cookie` I found that js can't read XSRF-TOKEN because the page restored from last session, but js can read XSRF-TOKEN because the page opened from a whole new tab

Attachments
my test website page (324.89 KB, image/png) 2020-08-18 04:52 PDT, Xin-U, Liu	cacocacoon: review- cacocacoon: commit-queue-	Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2020-08-18 09:21:51 PDT

<rdar://problem/67331868>

John Wilander

Comment 2 2020-08-18 09:57:14 PDT

This sounds like something CFNetwork should look at. Or possibly Chris Dumez with the recent changes to document.cookie.

Xin-U, Liu

Comment 3 2020-08-18 19:02:09 PDT

If calling same request again, which includes the XSRF-TOKEN cookie, but not show on web inspector

Xin-U, Liu

Comment 4 2020-08-19 20:47:53 PDT

Comment on attachment 406777 [details] my test website page delete

Xin-U, Liu

Comment 5 2020-09-03 03:49:31 PDT

Hi, I was stuck by this issue for a long time. Does anyone have any feedback?

Brady Eidson

Comment 6 2020-09-04 09:38:04 PDT

(In reply to Xin-U, Liu from comment #5) > Hi, > I was stuck by this issue for a long time. > Does anyone have any feedback? If you had a live test case that worked as expected in another browser but is broken in Safari, that'd go a long way in helping to explore it.

Note You need to log in before you can comment on or make changes to this bug.