Bug 247865

Summary: Cookies set from third-party IP addresses not restricted when Private Relay hides IP address from websites
Product: WebKit Reporter: Simo Ahava <simo.s.ahava>
Component: PlatformAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: dmdabbs, webkit-bug-importer, wenson_hsieh, wilander
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Mac (Apple Silicon)   
OS: macOS 13   

Description Simo Ahava 2022-11-13 12:37:38 PST 
Feature reference: https://bugs.webkit.org/show_bug.cgi?id=246477

Testing in Safari Technology Preview 157 with "Hide IP Address" set to "From trackers and websites", cookies set in an HTTP response's Set-Cookie headers are not automatically set to expire in 7 days when the response is sent from a third-party IP address.

Tested with STP 157 (Safari 16.4, WebKit 18615.1.11.7), Apple M1 Max Ventura 13.0.

Steps to repro:

1) Make sure Hide IP Address is set to "From trackers and websites" in STP Settings.
2) Visit https://www.simoahava.com
3) Observe the "FPID" cookie set with an expiration of 2 years

The FPID cookie is set in an HTTP response from sgtm.simoahava.com, which is mapped with A/AAAA records to a third-party IP address.

If I switch Hide IP Address to "From trackers only", clear cookies and restart Safari, the cookie is set with 7 days expiration as expected.
Comment 1 Radar WebKit Bug Importer 2022-11-14 05:48:42 PST 
<rdar://problem/102317782>
Comment 2 John Wilander 2022-11-14 05:49:19 PST 
Thanks for filing, Simo! We’ll have a look.