Bug 175934

Summary: Third-party cookies shared when requesting video content
Product: WebKit Reporter: teddyp <tppiotrowski>
Component: MediaAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: ap, bfulgham, eric.carlson, jer.noble, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Mac   
OS: macOS 10.12   
URL: https://tedpiotrowski.svbtle.com/broken-video-attachments-in-gmail

Description teddyp 2017-08-24 06:54:54 PDT 
To reproduce:
1. Under privacy settings choose:
   -Allow from current website only OR Allow from websites I visit
2. Confirm third-party cookies are disabled by visiting: https://alanhogan.github.io/web-experiments/3rd/third-party-cookies.html
3. Create a page on domain1.com that embeds a <video src="http://domain2.com"> and notice that domain2.com Cookies are sent with the request. 
   This behavior differs from both Firefox and Chrome which deny the cookies being sent.

Correct behavior:
domain2.com Cookies should not be sent.

I've documented a real world scenario in this blogpost: https://tedpiotrowski.svbtle.com/broken-video-attachments-in-gmail

My apologies if this behavior is intentional to prevent user pain/confusion.
Comment 1 Radar WebKit Bug Importer 2017-08-25 18:11:01 PDT 
<rdar://problem/34093740>