247865 – Cookies set from third-party IP addresses not restricted when Private Relay hides IP address from websites

Bug 247865 - Cookies set from third-party IP addresses not restricted when Private Relay hides IP address from websites

Summary: Cookies set from third-party IP addresses not restricted when Private Relay h...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Platform (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Mac (Apple Silicon) macOS 13

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-11-13 12:37 PST by Simo Ahava
Modified:	2023-04-06 10:37 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Simo Ahava 2022-11-13 12:37:38 PST

Feature reference: https://bugs.webkit.org/show_bug.cgi?id=246477

Testing in Safari Technology Preview 157 with "Hide IP Address" set to "From trackers and websites", cookies set in an HTTP response's Set-Cookie headers are not automatically set to expire in 7 days when the response is sent from a third-party IP address.

Tested with STP 157 (Safari 16.4, WebKit 18615.1.11.7), Apple M1 Max Ventura 13.0.

Steps to repro:

1) Make sure Hide IP Address is set to "From trackers and websites" in STP Settings.
2) Visit https://www.simoahava.com
3) Observe the "FPID" cookie set with an expiration of 2 years

The FPID cookie is set in an HTTP response from sgtm.simoahava.com, which is mapped with A/AAAA records to a third-party IP address.

If I switch Hide IP Address to "From trackers only", clear cookies and restart Safari, the cookie is set with 7 days expiration as expected.

Comment 1 Radar WebKit Bug Importer 2022-11-14 05:48:42 PST

<rdar://problem/102317782>

Comment 2 John Wilander 2022-11-14 05:49:19 PST

Thanks for filing, Simo! We’ll have a look.