279153 2024-09-04 16:04:45 -0700 iOS 18 does not allow a client application to specify SameSite=None 2025-01-14 09:35:46 -0800 1 1 1 Unclassified WebKit New Bugs Other iPhone / iPad iOS 18 RESOLVED FIXED InRadar P2 Blocker --- 280080 1 chonkate charliew alexandcote charliew chonkate commit-queue gareth.shapiro josephasmith1310 loydcrodrigueza max rikardt webkit-bug-importer oldest_to_newest 2057728 0 chonkate 2024-09-04 16:04:45 -0700 Context: Our organization distributes an in-house iOS application that injects an auth cookie into https://developer.apple.com/documentation/foundation/httpcookiestorage intended for our IdP (e.g. `auth.organization.com`), when the end-user navigates to (e.g. `service.alternate-domain.dev`), the service will redirect to the IdP and the expected cookie is not included in the request. This issue was first encountered with iOS 14 due to Intelligent Tracking Protection and we worked around the issue by enabling `NSCrossWebsiteTrackingUsageDescription` to allow our customers to opt-in to cross-domain cookies only within the application. Additionally, since iOS https://developer.apple.com/documentation/foundation/httpcookiestringpolicy has historically only allowed the "Lax" and "Strict" values, our application has been relying on the default behavior, when SameSite is omitted for WebKit to consider it to be `SameSite=None`. Issue and data: On iOS 18 beta 8 we observed the same behavior of IdP cookie no longer being included in the request and observed the below behavior (with ITP disabled): - WebKit is honoring the cookie's SameSite=None attribute when the cookie is set by server in this case the IdP - Attempts to set this attribute from the client side (from the app interacting with the iOS cookie store) have been unsuccessful. For example, by setting `.sameSitePolicy = "none"` - Safari Web Inspector shows the option to set the cookie's SameSite attribute to None, it however, does not get honored either, and is immediately reverted. Analysis: With the data collected so far it seems there is a gap between iOS default behavior to assume WebKit is using `SameSite=None` and the new WebKit change that breaks this assumption to now use `SameSite=Lax` as the default. Because of this gap, the iOS application is no longer able to set SameSite=None breaking existing web flows. Ask: Our internal teams are evaluating multiple options for mitigating impact before iOS 18 release. As such we're looking to get a bit more data and opening up possible mitigation options: - What is the purpose of introducing the backwards incompatible change for stricter cookie behavior (default SameSite=Lax) in WebKit? - Why is the `SameSite=None` only honored when a server specifies the cookie attribute and not when the client specifies it? - Is it feasible for WebKit to implement any of the below as a workaround - Add `none` as an expected cookie policy in https://developer.apple.com/documentation/foundation/httpcookiestringpolicy - Is there an alternate mechanism that would maintain the pre-existing cookie behavior for a specific application (e.g. through an Info.plist flag) - Can the `NSCrossWebsiteTrackingUsageDescription` be updated to maintain the pre-existing default cookie behavior when SameSite attribute is omitted, in addition to disabling ITP? 2057775 1 charliew 2024-09-04 18:11:50 -0700 Thank you for reporting this. I have been able to reproduce the issue and am looking into it. 2057776 2 webkit-bug-importer 2024-09-04 18:12:13 -0700 <rdar://problem/135312438> 2057777 3 chonkate 2024-09-04 18:16:26 -0700 Thanks! 2057796 4 charliew 2024-09-04 20:25:28 -0700 Pull request: https://github.com/WebKit/WebKit/pull/33164 2057799 5 chonkate 2024-09-04 20:43:04 -0700 !!!! THANK YOU SO MUCH!! Going through the commit, could you confirm the expectation is for app owners to add the new attribute with a string of "none" as shown below (swift) ```swift let cookieProperties: [HTTPCookiePropertyKey: Any] = [ .domain: "auth.organization.com", .path: "/", .name: "sampleCookie", .value: "sampleValue", .secure: "TRUE", .sameSitePolicy: "none", ] ``` If so, I can communicate this back to app owners so they can prepare an app build with the change. 2058016 6 ews-feeder 2024-09-05 13:31:17 -0700 Committed 283230@main (45ce92c14115): <https://commits.webkit.org/283230@main> Reviewed commits have been landed. Closing PR #33164 and removing active labels. 2058023 7 charliew 2024-09-05 13:44:31 -0700 (In reply to Kate Chon from comment #5) > Going through the commit, could you confirm the expectation is for app > owners to add the new attribute with a string of "none" as shown below Correct. 2058045 8 chonkate 2024-09-05 14:49:20 -0700 Thanks!!! 💜💜 2058259 9 ews-feeder 2024-09-06 12:20:52 -0700 Committed 280938.311@safari-7619-branch (3b7cd3b4db5a): <https://commits.webkit.org/280938.311@safari-7619-branch> Reviewed commits have been landed. Closing PR #1700 and removing active labels. 2061906 10 commit-queue 2024-09-20 12:20:02 -0700 Re-opened since this is blocked by bug 280080 2062801 11 alexandcote 2024-09-24 12:24:15 -0700 When do we expect this fix to land? If you open a Web console and try: ``` document.cookie = "foo=bar;Path=/;SameSite=None;Secure" ``` Safari will not respect the `SameSite` attribute. 2062805 12 alexandcote 2024-09-24 12:33:16 -0700 Seems to be reverted here: https://github.com/WebKit/WebKit/commit/f30d4606699e8d9b5fbe2bb043c95bd8ff5fb9fa 2062806 13 chonkate 2024-09-24 12:39:20 -0700 Hey Alexandre Côté our teams have been able to verify the issue is resolved on iOS 18.1 beta 5. Due to the re-opening of this ticket, it's unclear if we'll be able to expect this change to make it to general release. 2062997 15 gareth.shapiro 2024-09-25 03:32:26 -0700 Hi. Like others here I am very interested in what will be possible regarding SameSite attribute in iOS 18.1 We are seeing significant customer impact and currently it's quite difficult to provide assurance where I need to that a resolution is being planned for. Comment #4 here : https://bugs.webkit.org/show_bug.cgi?id=278353 makes reference to a scripting engine bug. Ask: It would be very useful to know whether it will be possible to successfully set `SameSite=None;Secure` from an iOS app running on 18.1 on webkit using the scripting engine once 18.1 goes into production. Having this information up front would be particularly useful given the time it takes to assemble and get enterprise apps out the door. 2063699 16 rikardt 2024-09-27 03:02:00 -0700 Hi, We also having the same issue with the current 18.0 version across multiple clients, and it looks like it's resolved on 18.1 beta 5. Could we get confirmation on whether the current behavior will be the same as in the planned release version. 2065269 17 charliew 2024-10-03 14:54:44 -0700 SameSite=None cookies by default have been restored in iOS 18.0.1. Please verify that your issues are resolved there. 2065302 18 chonkate 2024-10-03 16:21:17 -0700 Hello Charlie! Thank you so much on the update! Our teams have been able to verify impact has been mitigated. I hope you have a beautiful and lovely rest of your day!