Bug 179348
| Summary: | "Allow from websites I visit" privacy setting strips cookies from 302 redirects on <video> | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Jeremy Selier <jerem.selier> |
| Component: | Platform | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | Normal | CC: | achristensen, beidson, bfulgham, jer.noble, webkit-bug-importer, wilander |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari 11 | ||
| Hardware: | Mac | ||
| OS: | macOS 10.12 | ||
Jeremy Selier
Similar to this old bug: https://bugs.webkit.org/show_bug.cgi?id=139683
1. Load website at foo.com
2. Website creates a <video> and points to bar.com in src.
3. bar.com does a 302 redirect to bar.com/somethingelse with a set-cookie
Expected: set-cookie is indeed set on redirect
Actual: set-cookie is not set on bar.com/somethingelse query
If I change my setting to "Always allow". It works fine. Also checked same code in latest iOS on iPhone and it also fail there.
The interesting part is that if I open bar.com in a new tab, the set-cookie is properly set on redirect to bar.com/somethingelse
All others browsers tested work fine. Let me know if you need a repro case.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/35433037>
Jeremy Selier
Looking into this more, I believe that this may working as intended with Safari specific cookie privacy setting. Feel free to close if that's the case.
Jer Noble
(In reply to Jeremy Selier from comment #0)
> Similar to this old bug: https://bugs.webkit.org/show_bug.cgi?id=139683
>
> 1. Load website at foo.com
> 2. Website creates a <video> and points to bar.com in src.
> 3. bar.com does a 302 redirect to bar.com/somethingelse with a set-cookie
>
> Expected: set-cookie is indeed set on redirect
> Actual: set-cookie is not set on bar.com/somethingelse query
Yes, this in behaving as intended. Responses from bar.com in a foo.com context can't set cookies. You'll find the same behavior with <img src="http://bar.com/somethingelse">.
> If I change my setting to "Always allow". It works fine. Also checked same
> code in latest iOS on iPhone and it also fail there.
> The interesting part is that if I open bar.com in a new tab, the set-cookie
> is properly set on redirect to bar.com/somethingelse
This is also behaving as intended; you've visited bar.com in a first-party context, so subsequent requests in a third-party context will be allowed to set and read cookies (for a while, until Intelligent Tracking Protection kicks in).
> All others browsers tested work fine. Let me know if you need a repro case.
Jer Noble
(In reply to Jeremy Selier from comment #2)
> Looking into this more, I believe that this may working as intended with
> Safari specific cookie privacy setting. Feel free to close if that's the
> case.
Will do.