Bug 161780

Summary: REGRESSION(iOS 10): Video player does not send HttpOnly cookies; missing test coverage
Product: WebKit Reporter: fabian
Component: MediaAssignee: Nobody <webkit-unassigned>
Status: RESOLVED MOVED    
Severity: Major CC: ap, bfulgham, eric.carlson, jer.noble, jonlee, Mikefills, nate, s.rosse, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: iPhone / iPad   
OS: Other   
Attachments:
Description Flags
Adds the missing test coverage for HttpOnly cookies. none

Description fabian 2016-09-08 17:39:59 PDT 
Created attachment 288370 [details]
Adds the missing test coverage for HttpOnly cookies.

OS had a nasty bug in iOS 7.0.4, where cookies had been missing for requests send from VideoPlayers. (Original openradar: http://openradar.appspot.com/radar?id=5238098090786816; test script: https://www.bizify.me/test-if-your-ios-device-is-broken/)

This bug is back in iOS 10 (Visit: https://www.bizify.me/test-if-your-ios-device-is-broken/), though neither Safari nightly nor Safari Technology preview are affected.

This time however only the Javascript allowed cookies are send to the server, not the HttpOnly cookies.

This test coverage is missing in WebKit as well, because it also does not specifically test for HttpOnly cookies, which usually are excluded from client side Javascript.

Patch is attached to fix the test coverage at least, but should be fixed in iOS 10 ASAP as it makes authentication of users for Videos impossible again.
Comment 1 Radar WebKit Bug Importer 2016-09-08 19:27:09 PDT 
<rdar://problem/28218873>
Comment 2 Radar WebKit Bug Importer 2016-09-22 15:26:59 PDT 
<rdar://problem/28435896>
Comment 3 Jon Lee 2016-10-07 11:11:49 PDT 
The underlying issue is a platform-related one, which is tracked in the Radars listed above. We'll have this bug represent the task of adding the test to LayoutTests.

I can also update this bug once the platform bug is fixed and available to test.
Comment 4 Brent Fulgham 2022-02-10 14:06:12 PST 
The fix for this issue was needed outside the WebKit project, therefore this is being resolved as 'Moved'.

This should now be fixed in shipping software.