Bug 196375

Summary: Safari (still) doesn't send Lax cookies after a cross-site redirection
Product: WebKit Reporter: Flávio Juvenal (fjsj) <flavio>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: adam, beidson, cdumez, dbates, paul.savoie, wilander
Priority: P2    
Version: Safari 12   
Hardware: iPhone / iPad   
OS: iOS 12   
Attachments:
Description Flags
iOS 12.2 in-app Safari Lax cookies issue none

Description Flávio Juvenal (fjsj) 2019-03-28 15:10:31 PDT 
Safari doesn't send Lax cookies after a cross-site redirection.
This breaks very common web application workflows, like clicking a tracker link on GMail.

Even though this seems related to #188165 and to #194906, please check this, as the problem still happens in MacOS 10.14.4 and iOS 12.2.

Simple steps to reproduce:

- Open https://safari-samesite-issue.herokuapp.com/target/ to set some Lax cookies
- Open https://safari-samesite-issue-other.herokuapp.com/redirect/ - Note that domain is different. That site performs a CROSS-SITE REDIRECT to https://safari-samesite-issue.herokuapp.com/target/
- Check that cookies set by /target/ aren't sent after /redirect/

Detailed steps to reproduce:

- Open https://safari-samesite-issue.herokuapp.com/target/
- If it's your first visit, you should see something like:

    request.session.session_key: None 
    request.session['obj']: a916f354195a4a45b6933ef41b26bdda 

    request.META['CSRF_COOKIE']: 
    CSRF cookie (from JS): NHaGQEiZ0PofLDqOG0vgYi7mD4kpBFvcEsxRQdLssjpaxG6hKixjT8iKaIOAau2g 

- What we're seeing above is:
  * those values are related to two cookies, sessionid and csrftoken. Both have the flag SameSite: Lax
  * request.session.session_key is None because request was sent without a sessionid cookie, since it was the first request
  * request.session['obj'] shows a value because that was set into the session whose sessionid cookie was set by the response
  * request.META['CSRF_COOKIE'] is empty because request was sent without a csrftoken cookie, since it was the first request
  * CSRF cookie (from JS) shows a value because the csrftoken cookie was set by the response

- Refresh https://safari-samesite-issue.herokuapp.com/target/ and you'll see values for request.session.session_key and request.META['CSRF_COOKIE'], meaning their cookies were well set
- Go to https://safari-samesite-issue-other.herokuapp.com/redirect/ - Note that domain is different. That site performs a CROSS-SITE REDIRECT to https://safari-samesite-issue.herokuapp.com/target/
- Now, at the same URL we first saw, we see something like:
  
    request.session.session_key: None 
    request.session['obj']: 5a0d196943c6447582720cc1582bdb61 

    request.META['CSRF_COOKIE']: 
    CSRF cookie (from JS): null 

- That's wrong. Lax cookies should be sent after a cross-site redirection. Other browsers don't behave that way. Tested on Chrome and Firefox for Mac.
- Issue seems even more serious because not only Safari doesn't send the cookies after the redirect, but it also can't read the cookies set by the response after the redirect. That's why "CSRF cookie (from JS)" is null.

Safari versions tested:

- BROKEN on MacOS 10.14.4 (18E226), Safari 12.1 (14607.1.40.1.4)
- BROKEN on iOS 12.2
- FIXED on Safari Technology Preview Release 77 (Safari 12.2, WebKit 14608.1.7.3) - as stated before
- FIXED on Safari Technology Preview Release 78 (Safari 12.2, WebKit 14608.1.9.1)

Steps to reproduce (other issue?). A similar problem that happens only on iOS 12.2, but not on MacOS 10.14.4:

- Open GMail
- Send a email to yourself with the following link on body https://safari-samesite-issue.herokuapp.com/target/ 
- Note the link above is /target/ directly, not a cross-domain redirection...
- ...but GMail adds it's own tracker link at onclick, so redirect happens from https://www.google.com/url?q=...
- When you reach /target/, you'll see empty values for request.session.session_key and request.META['CSRF_COOKIE'], meaning again that Lax cookies weren't sent

Workaround for both problems described above:

- Don't use SameSite: Lax. Remove SameSite attribute from your cookies.

Application code available at: https://github.com/vintasoftware/safari-samesite-cookie-issue

Possibly related issues:
- "Same Site Lax cookies are not sent with cross-site redirect from client-initiated load" - https://bugs.webkit.org/show_bug.cgi?id=194906
- "iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication" - https://bugs.webkit.org/show_bug.cgi?id=188165
- "Microsoft Security Advisory: iOS12 breaks social, WSFed and OIDC logins #318" - https://github.com/aspnet/Announcements/issues/318
- "Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default" - https://code.djangoproject.com/ticket/30250
- "Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave" - https://code.djangoproject.com/ticket/29975
- "Safari 12 redirects back to /accounts/login" - https://github.com/IronCountySchoolDistrict/django-python3-saml/issues/1
- (Despite the link aboving says ITP is related, it doesn't seem to be. Even disabling it, issue is persistent)
Comment 1 Chris Dumez 2019-03-28 15:16:28 PDT 
- FIXED on Safari Technology Preview Release 77 (Safari 12.2, WebKit 14608.1.7.3) - as stated before
- FIXED on Safari Technology Preview Release 78 (Safari 12.2, WebKit 14608.1.9.1)

So this has already been fixed? If so, why the bug report?
Comment 2 Chris Dumez 2019-03-28 15:18:59 PDT 
(In reply to Chris Dumez from comment #1)
> - FIXED on Safari Technology Preview Release 77 (Safari 12.2, WebKit
> 14608.1.7.3) - as stated before
> - FIXED on Safari Technology Preview Release 78 (Safari 12.2, WebKit
> 14608.1.9.1)
> 
> So this has already been fixed? If so, why the bug report?

Personally, I get:
request.session.session_key: jzk0evlci0c5lq3v174ti02g7zlp6kxj 

On first link.

and
request.session.session_key: jzk0evlci0c5lq3v174ti02g7zlp6kxj 

On second link.

Seems fine, no?
Comment 3 Flávio Juvenal (fjsj) 2019-03-28 15:24:53 PDT 
Chris Dumez, I've described this issue at #188165, Alexey Proskuryakov asked me to "file a new bug, with complete steps to reproduce" and a live site. That's what I did here. Alexey also believed issue should be fixed in iOS 12.2 and macOS 10.14.4, but it isn't (or at least isn't in non-beta version). Also, check John Wilander comment 45: https://bugs.webkit.org/show_bug.cgi?id=188165#c45

Are you testing on Safari 12.1 (not Technology Preview)?
Comment 4 Chris Dumez 2019-03-28 15:29:50 PDT 
(In reply to Flávio Juvenal (fjsj) from comment #3)
> Chris Dumez, I've described this issue at #188165, Alexey Proskuryakov asked
> me to "file a new bug, with complete steps to reproduce" and a live site.
> That's what I did here. Alexey also believed issue should be fixed in iOS
> 12.2 and macOS 10.14.4, but it isn't (or at least isn't in non-beta
> version). Also, check John Wilander comment 45:
> https://bugs.webkit.org/show_bug.cgi?id=188165#c45
> 
> Are you testing on Safari 12.1 (not Technology Preview)?

The odd thing is that the fix was apparently in CFNetwork, not WebKit/Safari. Therefore, I would not expect different behavior with Safari Technology Preview and System Safari from macOS 10.14.4.
Comment 5 Chris Dumez 2019-03-28 15:31:19 PDT 
(In reply to Chris Dumez from comment #4)
> (In reply to Flávio Juvenal (fjsj) from comment #3)
> > Chris Dumez, I've described this issue at #188165, Alexey Proskuryakov asked
> > me to "file a new bug, with complete steps to reproduce" and a live site.
> > That's what I did here. Alexey also believed issue should be fixed in iOS
> > 12.2 and macOS 10.14.4, but it isn't (or at least isn't in non-beta
> > version). Also, check John Wilander comment 45:
> > https://bugs.webkit.org/show_bug.cgi?id=188165#c45
> > 
> > Are you testing on Safari 12.1 (not Technology Preview)?
> 
> The odd thing is that the fix was apparently in CFNetwork, not
> WebKit/Safari. Therefore, I would not expect different behavior with Safari
> Technology Preview and System Safari from macOS 10.14.4.

Interesting, I was testing on a more recent OS build as it was working. I have confirmed that it indeed does not work as expected on macOS 10.14.4 with System Safari.
Comment 6 Chris Dumez 2019-03-28 15:33:15 PDT 
(In reply to Chris Dumez from comment #5)
> (In reply to Chris Dumez from comment #4)
> > (In reply to Flávio Juvenal (fjsj) from comment #3)
> > > Chris Dumez, I've described this issue at #188165, Alexey Proskuryakov asked
> > > me to "file a new bug, with complete steps to reproduce" and a live site.
> > > That's what I did here. Alexey also believed issue should be fixed in iOS
> > > 12.2 and macOS 10.14.4, but it isn't (or at least isn't in non-beta
> > > version). Also, check John Wilander comment 45:
> > > https://bugs.webkit.org/show_bug.cgi?id=188165#c45
> > > 
> > > Are you testing on Safari 12.1 (not Technology Preview)?
> > 
> > The odd thing is that the fix was apparently in CFNetwork, not
> > WebKit/Safari. Therefore, I would not expect different behavior with Safari
> > Technology Preview and System Safari from macOS 10.14.4.
> 
> Interesting, I was testing on a more recent OS build as it was working. I
> have confirmed that it indeed does not work as expected on macOS 10.14.4
> with System Safari.

And it works with Trunk WebKit on macOS 10.14.4. So there is definitely a fix in WebKit that's needed.
Comment 7 John Wilander 2019-03-28 15:34:42 PDT 
Dan Bates was the WebKit engineer working on this.
Comment 8 Chris Dumez 2019-03-28 15:36:13 PDT 
(In reply to Chris Dumez from comment #6)
> (In reply to Chris Dumez from comment #5)
> > (In reply to Chris Dumez from comment #4)
> > > (In reply to Flávio Juvenal (fjsj) from comment #3)
> > > > Chris Dumez, I've described this issue at #188165, Alexey Proskuryakov asked
> > > > me to "file a new bug, with complete steps to reproduce" and a live site.
> > > > That's what I did here. Alexey also believed issue should be fixed in iOS
> > > > 12.2 and macOS 10.14.4, but it isn't (or at least isn't in non-beta
> > > > version). Also, check John Wilander comment 45:
> > > > https://bugs.webkit.org/show_bug.cgi?id=188165#c45
> > > > 
> > > > Are you testing on Safari 12.1 (not Technology Preview)?
> > > 
> > > The odd thing is that the fix was apparently in CFNetwork, not
> > > WebKit/Safari. Therefore, I would not expect different behavior with Safari
> > > Technology Preview and System Safari from macOS 10.14.4.
> > 
> > Interesting, I was testing on a more recent OS build as it was working. I
> > have confirmed that it indeed does not work as expected on macOS 10.14.4
> > with System Safari.
> 
> And it works with Trunk WebKit on macOS 10.14.4. So there is definitely a
> fix in WebKit that's needed.

I am working on bisecting which Webkit change fixed this.
Comment 9 Chris Dumez 2019-03-28 15:52:54 PDT 
(In reply to Chris Dumez from comment #8)
> (In reply to Chris Dumez from comment #6)
> > (In reply to Chris Dumez from comment #5)
> > > (In reply to Chris Dumez from comment #4)
> > > > (In reply to Flávio Juvenal (fjsj) from comment #3)
> > > > > Chris Dumez, I've described this issue at #188165, Alexey Proskuryakov asked
> > > > > me to "file a new bug, with complete steps to reproduce" and a live site.
> > > > > That's what I did here. Alexey also believed issue should be fixed in iOS
> > > > > 12.2 and macOS 10.14.4, but it isn't (or at least isn't in non-beta
> > > > > version). Also, check John Wilander comment 45:
> > > > > https://bugs.webkit.org/show_bug.cgi?id=188165#c45
> > > > > 
> > > > > Are you testing on Safari 12.1 (not Technology Preview)?
> > > > 
> > > > The odd thing is that the fix was apparently in CFNetwork, not
> > > > WebKit/Safari. Therefore, I would not expect different behavior with Safari
> > > > Technology Preview and System Safari from macOS 10.14.4.
> > > 
> > > Interesting, I was testing on a more recent OS build as it was working. I
> > > have confirmed that it indeed does not work as expected on macOS 10.14.4
> > > with System Safari.
> > 
> > And it works with Trunk WebKit on macOS 10.14.4. So there is definitely a
> > fix in WebKit that's needed.
> 
> I am working on bisecting which Webkit change fixed this.

Fails: r241775
Works: r241964

I am having issues with the builds in between :/
Comment 10 Chris Dumez 2019-03-28 15:56:28 PDT 
(In reply to Chris Dumez from comment #9)
> (In reply to Chris Dumez from comment #8)
> > (In reply to Chris Dumez from comment #6)
> > > (In reply to Chris Dumez from comment #5)
> > > > (In reply to Chris Dumez from comment #4)
> > > > > (In reply to Flávio Juvenal (fjsj) from comment #3)
> > > > > > Chris Dumez, I've described this issue at #188165, Alexey Proskuryakov asked
> > > > > > me to "file a new bug, with complete steps to reproduce" and a live site.
> > > > > > That's what I did here. Alexey also believed issue should be fixed in iOS
> > > > > > 12.2 and macOS 10.14.4, but it isn't (or at least isn't in non-beta
> > > > > > version). Also, check John Wilander comment 45:
> > > > > > https://bugs.webkit.org/show_bug.cgi?id=188165#c45
> > > > > > 
> > > > > > Are you testing on Safari 12.1 (not Technology Preview)?
> > > > > 
> > > > > The odd thing is that the fix was apparently in CFNetwork, not
> > > > > WebKit/Safari. Therefore, I would not expect different behavior with Safari
> > > > > Technology Preview and System Safari from macOS 10.14.4.
> > > > 
> > > > Interesting, I was testing on a more recent OS build as it was working. I
> > > > have confirmed that it indeed does not work as expected on macOS 10.14.4
> > > > with System Safari.
> > > 
> > > And it works with Trunk WebKit on macOS 10.14.4. So there is definitely a
> > > fix in WebKit that's needed.
> > 
> > I am working on bisecting which Webkit change fixed this.
> 
> Fails: r241775
> Works: r241964
> 
> I am having issues with the builds in between :/

Looking at the commits, it is very likely fixed by:
https://trac.webkit.org/changeset/241918/webkit
Comment 11 Chris Dumez 2019-03-28 15:56:42 PDT 

*** This bug has been marked as a duplicate of bug 194906 ***
Comment 12 Flávio Juvenal (fjsj) 2019-03-29 08:33:41 PDT 
Chris, thanks for the quick response to this issue. Have you checked if the other "Steps to reproduce (other issue?)" I listed above is also fixed by Changeset 241918? It affects only iOS, AFAIK.
Comment 13 Chris Dumez 2019-03-29 08:43:18 PDT 
(In reply to Flávio Juvenal (fjsj) from comment #12)
> Chris, thanks for the quick response to this issue. Have you checked if the
> other "Steps to reproduce (other issue?)" I listed above is also fixed by
> Changeset 241918? It affects only iOS, AFAIK.

Oh, I haven't. I'll check later today and comment again.
Comment 14 Chris Dumez 2019-03-29 09:02:45 PDT 
(In reply to Chris Dumez from comment #13)
> (In reply to Flávio Juvenal (fjsj) from comment #12)
> > Chris, thanks for the quick response to this issue. Have you checked if the
> > other "Steps to reproduce (other issue?)" I listed above is also fixed by
> > Changeset 241918? It affects only iOS, AFAIK.
> 
> Oh, I haven't. I'll check later today and comment again.

I have just tried your steps for "other issue" and they do not reproduce an issue for me, even on macOS 10.14.4. I assume this other issue could have been Bug 188165 which got fixed in macOS 10.14.4.

Can you really reproduce on macOS 10.14.4?
Comment 15 Flávio Juvenal (fjsj) 2019-03-29 09:04:56 PDT 
No, they're reproducible in iOS 12.2. Does iOS 12.2 already contains the fix for Bug 188165?
Comment 16 Chris Dumez 2019-03-29 09:07:28 PDT 
(In reply to Flávio Juvenal (fjsj) from comment #15)
> No, they're reproducible in iOS 12.2. Does iOS 12.2 already contains the fix
> for Bug 188165?

Oh, I have not tried iOS 12.2. And yes, the CFNetwork fix for Bug 188165 is supposed to have shipped in iOS 12.2, it is definitely surprising it would reproduce there.
I'll try and do some iOS testing today.
Comment 17 Chris Dumez 2019-03-29 09:50:35 PDT 
(In reply to Chris Dumez from comment #16)
> (In reply to Flávio Juvenal (fjsj) from comment #15)
> > No, they're reproducible in iOS 12.2. Does iOS 12.2 already contains the fix
> > for Bug 188165?
> 
> Oh, I have not tried iOS 12.2. And yes, the CFNetwork fix for Bug 188165 is
> supposed to have shipped in iOS 12.2, it is definitely surprising it would
> reproduce there.
> I'll try and do some iOS testing today.

Does not reproduce for me on iOS 12.2 either.
Comment 18 Flávio Juvenal (fjsj) 2019-03-29 12:01:11 PDT 
Created attachment 366289 [details]
iOS 12.2 in-app Safari Lax cookies issue

Chris, I've attached a video with the reproduction for the iOS-only problem. It only happens on GMail with in-app Safari browser.

I know that cookies aren't shared between Safari and GMail's webview, but the issue is that the webview doesn't seem to be able to set any Lax cookies.

The video above tests the site https://safari-samesite-issue.herokuapp.com/target/
which uses Lax cookies. Test with that link, it won't work. Afterwards, test with https://safari-issue-samesite-no-lax.herokuapp.com/target/, which doesn't use Lax cookies. It'll work.
Comment 19 Chris Dumez 2019-03-29 12:05:19 PDT 
(In reply to Flávio Juvenal (fjsj) from comment #18)
> Created attachment 366289 [details]
> iOS 12.2 in-app Safari Lax cookies issue
> 
> Chris, I've attached a video with the reproduction for the iOS-only problem.
> It only happens on GMail with in-app Safari browser.
> 
> I know that cookies aren't shared between Safari and GMail's webview, but
> the issue is that the webview doesn't seem to be able to set any Lax cookies.
> 
> The video above tests the site
> https://safari-samesite-issue.herokuapp.com/target/
> which uses Lax cookies. Test with that link, it won't work. Afterwards, test
> with https://safari-issue-samesite-no-lax.herokuapp.com/target/, which
> doesn't use Lax cookies. It'll work.

I need to try with the Gmail app, I had tried with Gmail.com in MobileSafari earlier.
Comment 20 Chris Dumez 2019-03-29 12:33:59 PDT 
(In reply to Chris Dumez from comment #19)
> (In reply to Flávio Juvenal (fjsj) from comment #18)
> > Created attachment 366289 [details]
> > iOS 12.2 in-app Safari Lax cookies issue
> > 
> > Chris, I've attached a video with the reproduction for the iOS-only problem.
> > It only happens on GMail with in-app Safari browser.
> > 
> > I know that cookies aren't shared between Safari and GMail's webview, but
> > the issue is that the webview doesn't seem to be able to set any Lax cookies.
> > 
> > The video above tests the site
> > https://safari-samesite-issue.herokuapp.com/target/
> > which uses Lax cookies. Test with that link, it won't work. Afterwards, test
> > with https://safari-issue-samesite-no-lax.herokuapp.com/target/, which
> > doesn't use Lax cookies. It'll work.
> 
> I need to try with the Gmail app, I had tried with Gmail.com in MobileSafari
> earlier.

Ok, I was able to reproduce the issue on iOS 12.2 using the Gmail app. I have confirmed that r241900 fails and r241920 works. It is therefore extremely likely that this was fixed by https://trac.webkit.org/changeset/241918/webkit and that the iOS issue you're seeing is a dupe of bug 194906 as well.
Comment 21 Flávio Juvenal (fjsj) 2019-03-29 12:54:49 PDT 
Good to know, thanks. Does that mean the next minor version update should fix this or that's hard to say?
Comment 22 Chris Dumez 2019-03-29 12:56:27 PDT 
(In reply to Flávio Juvenal (fjsj) from comment #21)
> Good to know, thanks. Does that mean the next minor version update should
> fix this or that's hard to say?

Sorry, I cannot comment on when a particular fix will ship to customers.
This does seems like a bad bug though and I hope we can ship to customers sooner rather than later.