Bug 200307

Summary: SameSite Lax cookies aren't sent from tabs recovered from last Safari session when in scope of service workers
Product: WebKit Reporter: Rafael <xfalcox>
Component: Service WorkersAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Major CC: ap, cdumez
Priority: P2    
Version: Safari Technology Preview   
Hardware: All   
OS: All   

Description Rafael 2019-07-31 10:10:12 PDT 
Let there be a tab with a loaded web page which:

- contains a cookie with the SameSite bit set to "Lax"
- contains an active ServiceWorker proxying fetch requests

After killing the Safari app on iOS and reopening it, Safari will reload the tab.

During this reload the Lax cookie won't be sent in the requests to the server. If you refresh the page, even multiple times, the cookie will still not be sent.

If this cookie is a login cookie, the page will be show as if aren't logged in, resulting in a weird behavior for the user.

However, if you tap the address bar, make **no change** and tap go, navigating to the current page again, the cookie will be sent this time "fixing" the page.

I created a very simple and barebones demonstration of this bug:

- Bug reproduction website: https://rocky-fjord-97287.herokuapp.com/

- Source Code: https://github.com/xfalcox/safari-sw-samesite-bug

This bug affect the open source Forum software Discourse, and made me drop the offline browsing feature for Apple devices due to it.
Comment 1 Alexey Proskuryakov 2019-08-02 13:32:30 PDT 
Looks like the same issue was filed separately a bit later, and that is already releted to a radar. Forward duping.

*** This bug has been marked as a duplicate of bug 200345 ***