306194 2026-01-24 17:25:46 -0800 Partitioned cookies (CHIPS) are dropped on return after multi-hop cross-site redirects 2026-01-28 17:23:13 -0800 1 1 1 Unclassified WebKit Page Loading Safari 26 Unspecified Unspecified NEW InRadar P2 Normal --- 1 kian webkit-unassigned beidson kian m_finkel webkit-bug-importer wilander oldest_to_newest 2174813 0 kian 2026-01-24 17:25:46 -0800 Safari drops Partitioned cookies (SameSite=None; Secure; Partitioned) after a multi-hop cross-site redirect chain, even when the final navigation returns to the original top-level site. Non-partitioned cookies set at the same time are preserved. This breaks many OAuth / OIDC-style login flows that use partitioned cookies. I've created a minimal, self-contained reproduction using three domains. Source code and live demo are available: - GitHub repo: https://github.com/kiancross/safari-partitioned-cookie-bug-demo - Live demo: https://safari-partitioned-cookie-bug-demo.kiancross.workers.dev To reproduce: 1. Visit Domain A (start page). 2. Click "Start test". 3. Domain A: - Sets two cookies: np_cookie=np1; SameSite=None; Secure p_cookie=p1; SameSite=None; Secure; Partitioned - Responds with a 302 redirect to Domain B. 4. Domain B immediately 302s to Domain C. 5. Domain C immediately 302s back to Domain A (/return). 6. Domain A prints the incoming Cookie header. Expected Result: Both cookies set on Domain A (np_cookie and p_cookie) should be sent back to Domain A when the navigation returns. Actual Result: The non-partitioned cookie (np_cookie) is present. The partitioned cookie (p_cookie) is missing from the Cookie header on the return request. I have reproduced this reliably on Safari 26.2 for both MacOS and iOS. 2174814 1 kian 2026-01-24 17:27:05 -0800 Additional Details: The issue only appears after multiple cross-site redirects (A -> B -> C -> A). A redirect chain involving only a single cross-site hop (A -> B -> B -> A) does not reproduce the problem. Pausing the redirect chain at Domain B (e.g., 200 OK response and explicit user interaction) then continuing the flow (A -> B (user input) -> C -> A), does not change the outcome. The critical step appears to be the final B -> C -> A redirect sequence. When pausing at Domain B, the cookies can be verified as present and correctly set (e.g., by opening Domain A in another tab). However, those same cookies are not sent to Domain A when returning via the final redirect chain. In the live demo I've provided, after arriving back at Domain A through the redirect chain, refreshing the page causes the partitioned cookies to appear as expected. Opening the live demo in Chrome shows the expected behaviour: both partitioned and non-partitioned cookies are sent on the return request. 2174828 2 kian 2026-01-24 19:28:34 -0800 (I've also submitted this on Apple Feedback Assistant, as I suspect this might have been the wrong place to submit. If so, feel free to close this issue.) 2175334 3 webkit-bug-importer 2026-01-26 19:56:25 -0800 <rdar://problem/168969702> 2176025 4 ap 2026-01-28 17:23:13 -0800 rdar://168850589