214608 2020-07-21 11:53:49 -0700 Cookie with SameSite=None not created in an iframe on Catalina but works fine in Mojave 2020-07-21 18:42:27 -0700 1 1 1 Unclassified WebKit New Bugs Safari 13 Mac macOS 10.15 NEW InRadar P2 Normal --- 1 tstoyche webkit-unassigned sihui_liu webkit-bug-importer wilander oldest_to_newest 1673546 0 tstoyche 2020-07-21 11:53:49 -0700 I am not sure if this is a real bug or it's just not clear from Safari release notes what should be the expected behavior when we have enabled "Prevent cross-site tracking" in Safari privacy settings. Reference to release notes: https://developer.apple.com/documentation/safari-release-notes/safari-13_1-release_notes "Added cookie blocking for all cross-site resources by default." Demo: This website here is used for demonstration if a cookie with a flag SameSite=None is created in iframe on 3rd party context: https://animated-caribou.glitch.me SiteB is a website loaded in an iframe and it demonstrates what cookies are created inside. I see different behavior on Catalina and Mojave: === Mojave === OS version: 10.14.6 Safari version: 13.1.1 (14609.2.9.1.3) "Prevent cross-site tracking": Enabled User Agent String: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15 Result SiteB: 1. document.cookie: foo=SiteBCookie; foo2=SiteBNone 2. Cookie on Server: {"foo":"SiteBCookie","foo2":"SiteBNone"} === Catalina === OS version: 10.15.4 Safari version: Version 13.1 (15609.1.20.111.8) "Prevent cross-site tracking": Enabled User Agent String: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15 Result SiteB: 1. document.cookie: 2. Cookie on Server: {} Question: The question is why cookies are not created on Catalina and is this a bug or did Safari decide to block all cookies in such context even if the spec for None says: "Cookies will be sent in all contexts, i.e sending cross-origin is allowed.". Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite 1673716 1 webkit-bug-importer 2020-07-21 18:42:27 -0700 <rdar://problem/65914276>