Bug 238202

<rdar://problem/90633734>

Created attachment 455374 [details]
Tests

Uploaded tests are passing in Chrome and Firefox but not in Safari.

Created attachment 455381 [details]
Patch

Comment on attachment 455381 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=455381&action=review

r=me based on enhancing the tests (and getting green EWS bots).

> LayoutTests/http/tests/cookies/resources/testharness-helpers.js:38
> +    document.cookie = LAX_DOM + "=1; SameSite=Lax; Max-Age=100; path=/";

Please add a SameSite=Strict cookie too and make sure it works as expected.

> LayoutTests/http/tests/cookies/resources/testharness-helpers.js:68
> +    document.cookie = LAX_DOM + "=1; SameSite=Lax; Max-Age=100; path=/";

Ditto on a SameSite=Strict cookie.

> LayoutTests/http/tests/cookies/same-site/popup-from-iframe-same-site-with-post-form-expected.txt:2
> +PASS popup opened as 'about:blank', then post navigation to 127.0.0.1, so samesite cookies are sent.

This output should be more specific and say whether SameSite Lax and SameSite Strict cookies were sent.

> LayoutTests/http/tests/cookies/same-site/popup-from-iframe-same-site-with-post-form-expected.txt:3
> +PASS popup opened as '127.0.0.1', then post navigation to 127.0.0.1, so samesite cookies are sent.

Ditto.

> LayoutTests/http/tests/cookies/same-site/popup-from-iframe-same-site-with-post-form-expected.txt:4
> +PASS popup loaded as '127.0.0.1', then post navigation to 127.0.0.1, so samesite cookies are sent.

Ditto, plus I would like if this test output was distinct from the one above. Could we add more details so that it's clear what's being tested?

> LayoutTests/http/tests/cookies/same-site/popup-same-site-with-post-form-expected.txt:2
> +PASS popup opened as 'about:blank', then post navigation to 127.0.0.1, so samesite cookies are sent.

Ditto on cookie details.

> LayoutTests/http/tests/cookies/same-site/popup-same-site-with-post-form-expected.txt:3
> +PASS popup opened as '127.0.0.1', then post navigation to 127.0.0.1, so samesite cookies are sent.

Ditto.

> LayoutTests/http/tests/cookies/same-site/popup-same-site-with-post-form-expected.txt:4
> +PASS popup loaded as '127.0.0.1', then post navigation to 127.0.0.1, so samesite cookies are sent.

Ditto, plus the comment on making it distinct.

(In reply to John Wilander from comment #5)
> Comment on attachment 455381 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=455381&action=review
> 
> r=me based on enhancing the tests (and getting green EWS bots).

Updated the tests accordingly.

> > LayoutTests/http/tests/cookies/same-site/popup-same-site-with-post-form-expected.txt:4
> > +PASS popup loaded as '127.0.0.1', then post navigation to 127.0.0.1, so samesite cookies are sent.
> 
> Ditto, plus the comment on making it distinct.

I updated the comment. In one case we are opening the popup on 127.0.0.1 and in the other case we are fully loading a page in 127.0.0.1, before doing post navigation.

Created attachment 455472 [details]
Patch for landing

<rdar://88979099>

Committed r291741 (248773@main): <https://commits.webkit.org/248773@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 455472 [details].

Hmm. Are you sure SameSite=strict cookies should be sent in these cases?

See https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1

(In reply to John Wilander from comment #10)
> Hmm. Are you sure SameSite=strict cookies should be sent in these cases?

Navigation is same origin (127.0.0.1 to 127.0.0.1) so SameSite=strict should do the same as SameSite=lax, no?

FWIW, Chrome and Firefox are also sending strict cookies for those tests.
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1 seems to be about allowing same-site cookies in some cases of cross-origin top level navigations (for GET method).

*** Bug 227819 has been marked as a duplicate of this bug. ***