Bug 200307
Summary: | SameSite Lax cookies aren't sent from tabs recovered from last Safari session when in scope of service workers | ||
---|---|---|---|
Product: | WebKit | Reporter: | Rafael <xfalcox> |
Component: | Service Workers | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED DUPLICATE | ||
Severity: | Major | CC: | ap, cdumez |
Priority: | P2 | ||
Version: | Safari Technology Preview | ||
Hardware: | All | ||
OS: | All |
Rafael
Let there be a tab with a loaded web page which:
- contains a cookie with the SameSite bit set to "Lax"
- contains an active ServiceWorker proxying fetch requests
After killing the Safari app on iOS and reopening it, Safari will reload the tab.
During this reload the Lax cookie won't be sent in the requests to the server. If you refresh the page, even multiple times, the cookie will still not be sent.
If this cookie is a login cookie, the page will be show as if aren't logged in, resulting in a weird behavior for the user.
However, if you tap the address bar, make **no change** and tap go, navigating to the current page again, the cookie will be sent this time "fixing" the page.
I created a very simple and barebones demonstration of this bug:
- Bug reproduction website: https://rocky-fjord-97287.herokuapp.com/
- Source Code: https://github.com/xfalcox/safari-sw-samesite-bug
This bug affect the open source Forum software Discourse, and made me drop the offline browsing feature for Apple devices due to it.
Attachments | ||
---|---|---|
Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
Looks like the same issue was filed separately a bit later, and that is already releted to a radar. Forward duping.
*** This bug has been marked as a duplicate of bug 200345 ***