291194 2025-04-07 04:53:14 -0700 REGRESSION(289693@main): [SOUP] iframe on same apex as parent can't access cookies 2025-04-10 12:57:16 -0700 1 1 1 Unclassified WebKit WebKitGTK WebKit Nightly Build Unspecified Linux RESOLVED FIXED DoNotImportToRadar P2 Normal --- 1 info pgriffis bugs-noreply dpino fujii jonathan max mcatanzaro pgriffis yurys oldest_to_newest 2109383 0 info 2025-04-07 04:53:14 -0700 The child iframe can't access its parent cookies, even though it's on the same apex domain. This bug was introduced in c6414d5c4ed2fed77d0f485a1ff0a8621411c562...3e847b33c9aa193c4a1fc72e530dd3edaf4f11a2. # Repro ```js require('http').createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); if (req.headers.host === 'example.test') { res.setHeader('Set-Cookie', 'testCookie=value; SameSite=Lax; Domain=example.test'); res.end(` <p id="result"></p> <script>document.getElementById('result').textContent = document.cookie || 'no cookies';</script> <iframe src="http://sub.example.test"></iframe> `); } else if (req.headers.host === 'sub.example.test') { res.end(` <p id="result"></p> <script>document.getElementById('result').textContent = document.cookie || 'no cookies';</script> `); } else { res.statusCode = 404; res.end(); } }).listen(80); ``` ``` # add to /etc/hosts 127.0.0.1 example.test 127.0.0.1 sub.example.test ``` Open up `example.test`. I expect to see `testCookie=value` in both the parent and child frame. It actually shows `no cookies` in the child frame. Originally reported as https://github.com/microsoft/playwright/issues/35439. 2109384 1 info 2025-04-07 04:54:08 -0700 This occurs only on Linux. I'm willing to work on a fix for this. 2109659 2 fujii 2025-04-08 00:02:30 -0700 libsoup is used on Linux. not libcurl. 2109947 3 max 2025-04-09 08:21:02 -0700 Investigating: Looks like it only affects special domains like 'example.test' or 'example.test1'. Bisecting the change right now to see which patch caused it. 2110147 4 max 2025-04-10 03:49:05 -0700 - Bisected to https://github.com/webkit/webkit/commit/cb077473952d - Might be this check https://gitlab.gnome.org/GNOME/libsoup/-/blob/master/libsoup/cookies/soup-cookie-jar.c#L539 - Which checks https://gitlab.gnome.org/GNOME/libsoup/-/blob/master/libsoup/soup-tld.c#L163 2110181 5 pgriffis 2025-04-10 07:15:28 -0700 Pull request: https://github.com/WebKit/WebKit/pull/43899 2110186 6 pgriffis 2025-04-10 07:26:20 -0700 So that patch fixes this specific case. I do wonder though if WebKit is entirely correct to treat this as a third party domain. As you link libsoup already did too. That said other browsers do not block the cookie in this situation. 2110187 7 pgriffis 2025-04-10 07:27:56 -0700 Actually WebKit on Apple platforms also do this, so I think its fine. 2110256 8 ews-feeder 2025-04-10 12:57:13 -0700 Committed 293538@main (3f1d5e3400d4): <https://commits.webkit.org/293538@main> Reviewed commits have been landed. Closing PR #43899 and removing active labels.