Bug 201646

Summary: Cookie sameSite Lax setting and .lan domains
Product: WebKit Reporter: Nathan <ngoff>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Major CC: achristensen, ap, beidson, cbilling, cemilekenel, eljawara79, martin.foucek, m.kurz+webkitbugs, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Safari 12   
Hardware: Mac   
OS: macOS 10.14   
See Also: https://bugs.webkit.org/show_bug.cgi?id=265634

Nathan
Reported 2019-09-10 09:04:24 PDT
I am uncertain if this is with WebKit or something deeper at the OS level. Our internal development environment uses .lan tld for all of our development servers. With the latest release of Safari and Mojave we have found that cookies are not being sent along by the browser with our ajax calls when we have the sameSite setting set to Lax. If we don't set it then everything works as normal. This appears to be a bug as we are always on the same site when this issue occurs, so it is confusing why it would determine it should not send them along. We do not see this issue in our production systems where we are using a traditional .com tld. It almost seems like the browser has determined .lan to not be 'safe enough' and therefore is not passing along the cookies like it should.
Attachments
Nathan
Comment 1 2019-09-10 09:28:26 PDT
To clarify: same-domain AJAX GET requests are not sending the cookie for self-signed .lan TLDs
Radar WebKit Bug Importer
Comment 2 2019-09-13 09:15:47 PDT
Martin
Comment 3 2020-03-16 08:27:31 PDT
Still reproducible on macOS 10.15.3 with Safari 13.0.5.
Note You need to log in before you can comment on or make changes to this bug.