Bug 204109

Summary: REGRESSION (iOS 13.3): WKWebView does not include cookies in cross-origin images
Product: WebKit Reporter: Niklas Merz <niklasmerz>
Component: New BugsAssignee: John Wilander <wilander>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, bfulgham, cdumez, david.mcrae, ddkilzer, guo.li, jdai, maciej.zabielski+webkit, niklasmerz, webkit-bug-importer, webkit
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: iPhone / iPad   
OS: iOS 13   
URL: https://niklas.merz.dev/corstest/
See Also: https://bugs.webkit.org/show_bug.cgi?id=200857
https://bugs.webkit.org/show_bug.cgi?id=204322
https://bugs.webkit.org/show_bug.cgi?id=213510
Attachments:
Description Flags
Example project with test page
none
Proposed patch
ap: review+
Proposed patch addressing Chris's comments
none
Proposed patch addressing Chris's comments cdumez: review+

Niklas Merz
Reported 2019-11-12 04:36:09 PST
Created attachment 383348 [details] Example project with test page We found a bug in our app (using WKWebView) that images that are loaded from another origin don't load because the necessary cookie is not sent. I added a small sample project which opens a test page in WKWebview. This page has two img tags. One of the loads the image from the same origin, one from another one. Both images need a cookie, otherwhise an error is thrown. The cookies for thesse images are set in Swift code before opening the WebView. If I run this project with two devices and iOS version, I get different result: * iOS 13.2: Both images are displayed at app launch * iOS 13.3 Developer Beta 2: Only the same origin image is displayed Bug 200857 was a similiar issue in iOS 13, but is fixed since iOS 13.2
Attachments
Example project with test page (43.62 KB, application/zip)
2019-11-12 04:36 PST, Niklas Merz 		no flags
Details
Proposed patch (14.16 KB, patch)
2019-11-16 14:38 PST, John Wilander 		ap: review+
DetailsFormatted DiffDiff
Proposed patch addressing Chris's comments (14.16 KB, patch)
2019-11-16 16:00 PST, John Wilander 		no flags
DetailsFormatted DiffDiff
Proposed patch addressing Chris's comments (17.79 KB, patch)
2019-11-16 16:03 PST, John Wilander 		cdumez: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2019-11-12 10:19:33 PST
<rdar://problem/57120772>
Alexey Proskuryakov
Comment 2 2019-11-15 11:56:39 PST
Is the server up and running now? We are getting question marks for the images.
Niklas Merz
Comment 3 2019-11-15 12:02:59 PST
Yes that is the point. You need a cookie with a Value test. The Native App from the attachment Sets the cookie.
Niklas Merz
Comment 4 2019-11-15 12:40:25 PST
(In reply to Niklas Merz from comment #3) > Yes that is the point. You need a cookie with a Value test. The Native App > from the attachment Sets the cookie. If you open the page in a browser there will be no images. Setting a cookie like corstest=tes will make the image accessible. If you open the test app on iOS 13.3 there will be one image from the same origin, on iOS 13.2 two images from both origins. The test page is available on Github. I did set a check on cookies for the images via a serverless function for the hosting: https://github.com/NiklasMerz/corstest Can you reproduce this issue?
John Wilander
Comment 5 2019-11-16 14:38:28 PST
Created attachment 383705 [details] Proposed patch Patch for review. Note that it is branch-specific and won't apply to trunk.
Alexey Proskuryakov
Comment 6 2019-11-16 14:54:03 PST
Comment on attachment 383705 [details] Proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=383705&action=review > LayoutTests/ChangeLog:9 > + * http/tests/resourceLoadStatistics/no-third-party-cookie-blocking-when-itp-is-off-expected.txt: Added. Test pieces will need to be landed on trunk too.
Chris Dumez
Comment 7 2019-11-16 14:58:21 PST
Comment on attachment 383705 [details] Proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=383705&action=review > Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:208 > + || (session.isResourceLoadStatisticsEnabled() && session.networkStorageSession() && session.networkStorageSession()->shouldBlockCookies(request, frameID, pageID)); There are other call sites that call shouldBlockCookies() without checking if ITP is enabled. Why are those OK? Why isn't the isITPEnabled check inside shouldBlockCookies()?
John Wilander
Comment 8 2019-11-16 15:04:12 PST
(In reply to Alexey Proskuryakov from comment #6) > Comment on attachment 383705 [details] > Proposed patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=383705&action=review > > > LayoutTests/ChangeLog:9 > > + * http/tests/resourceLoadStatistics/no-third-party-cookie-blocking-when-itp-is-off-expected.txt: Added. > > Test pieces will need to be landed on trunk too. Absolutely.
John Wilander
Comment 9 2019-11-16 15:07:42 PST
(In reply to Chris Dumez from comment #7) > Comment on attachment 383705 [details] > Proposed patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=383705&action=review > > > Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:208 > > + || (session.isResourceLoadStatisticsEnabled() && session.networkStorageSession() && session.networkStorageSession()->shouldBlockCookies(request, frameID, pageID)); > > There are other call sites that call shouldBlockCookies() without checking > if ITP is enabled. Why are those OK? I'll have a look. > Why isn't the isITPEnabled check inside shouldBlockCookies()? It's the NetworkSession that knows. But maybe I can forward that info to the NetworkStorageSession. But that increases the risk of the change, right?
Chris Dumez
Comment 10 2019-11-16 15:18:30 PST
(In reply to John Wilander from comment #9) > (In reply to Chris Dumez from comment #7) > > Comment on attachment 383705 [details] > > Proposed patch > > > > View in context: > > https://bugs.webkit.org/attachment.cgi?id=383705&action=review > > > > > Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:208 > > > + || (session.isResourceLoadStatisticsEnabled() && session.networkStorageSession() && session.networkStorageSession()->shouldBlockCookies(request, frameID, pageID)); > > > > There are other call sites that call shouldBlockCookies() without checking > > if ITP is enabled. Why are those OK? > > I'll have a look. > > > Why isn't the isITPEnabled check inside shouldBlockCookies()? > > It's the NetworkSession that knows. But maybe I can forward that info to the > NetworkStorageSession. But that increases the risk of the change, right? Hmm, I see what you mean, NetworkStorageSession is actually in WebCore and does not have access to the NetworkSession and does not know about the NetworkSession. My alternate proposal then then would be to rename the method name to be less generic (e.g. shouldBlockCookieDueToITP()) and make sure all call sites check that ITP is enabled before calling. This is assuming this function is only used for ITP purposes (I don't actually know that for sure).
John Wilander
Comment 11 2019-11-16 15:58:53 PST
(In reply to Chris Dumez from comment #10) > (In reply to John Wilander from comment #9) > > (In reply to Chris Dumez from comment #7) > > > Comment on attachment 383705 [details] > > > Proposed patch > > > > > > View in context: > > > https://bugs.webkit.org/attachment.cgi?id=383705&action=review > > > > > > > Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:208 > > > > + || (session.isResourceLoadStatisticsEnabled() && session.networkStorageSession() && session.networkStorageSession()->shouldBlockCookies(request, frameID, pageID)); > > > > > > There are other call sites that call shouldBlockCookies() without checking > > > if ITP is enabled. Why are those OK? > > > > I'll have a look. > > > > > Why isn't the isITPEnabled check inside shouldBlockCookies()? > > > > It's the NetworkSession that knows. But maybe I can forward that info to the > > NetworkStorageSession. But that increases the risk of the change, right? > > Hmm, I see what you mean, NetworkStorageSession is actually in WebCore and > does not have access to the NetworkSession and does not know about the > NetworkSession. > > My alternate proposal then then would be to rename the method name to be > less generic (e.g. shouldBlockCookieDueToITP()) and make sure all call sites > check that ITP is enabled before calling. This is assuming this function is > only used for ITP purposes (I don't actually know that for sure). Your overall comment was valid - thank you for that! I have another approach. I will forward the on/off status of ITP to NetworkStorageSession and check it in the shouldBlockCookies() functions. This increases the patch's complexity slightly but not in a material way since it's just about forwarding a boolean flag and the infrastructure for the ITP setting is already there. New patch coming.
John Wilander
Comment 12 2019-11-16 16:00:42 PST
Created attachment 383708 [details] Proposed patch addressing Chris's comments
John Wilander
Comment 13 2019-11-16 16:03:02 PST
Created attachment 383709 [details] Proposed patch addressing Chris's comments
Chris Dumez
Comment 14 2019-11-16 16:11:25 PST
Comment on attachment 383709 [details] Proposed patch addressing Chris's comments View in context: https://bugs.webkit.org/attachment.cgi?id=383709&action=review > Source/WebKit/NetworkProcess/NetworkSession.cpp:134 > + if (auto* storageSession = networkStorageSession()) Could this be move to the top of the method to avoid the duplication? ASSERT(!m_isInvalidated); if (auto* storageSession = networkStorageSession()) storageSession->setResourceLoadStatisticsEnabled(enable);
John Wilander
Comment 15 2019-11-16 16:13:09 PST
(In reply to Chris Dumez from comment #14) > Comment on attachment 383709 [details] > Proposed patch addressing Chris's comments > > View in context: > https://bugs.webkit.org/attachment.cgi?id=383709&action=review > > > Source/WebKit/NetworkProcess/NetworkSession.cpp:134 > > + if (auto* storageSession = networkStorageSession()) > > Could this be move to the top of the method to avoid the duplication? > > ASSERT(!m_isInvalidated); > if (auto* storageSession = networkStorageSession()) > storageSession->setResourceLoadStatisticsEnabled(enable); Yes. Will fix before sending to branch integrators. Thanks for the review!
John Wilander
Comment 16 2019-11-16 16:14:49 PST
(In reply to John Wilander from comment #15) > (In reply to Chris Dumez from comment #14) > > Comment on attachment 383709 [details] > > Proposed patch addressing Chris's comments > > > > View in context: > > https://bugs.webkit.org/attachment.cgi?id=383709&action=review > > > > > Source/WebKit/NetworkProcess/NetworkSession.cpp:134 > > > + if (auto* storageSession = networkStorageSession()) > > > > Could this be move to the top of the method to avoid the duplication? > > > > ASSERT(!m_isInvalidated); > > if (auto* storageSession = networkStorageSession()) > > storageSession->setResourceLoadStatisticsEnabled(enable); > > Yes. Will fix before sending to branch integrators. Thanks for the review! Or wait, now I remember why I had it in two places - to guarantee that the ITP object has been created before I tell the storage session that ITP is on. Do you think that'll cause an issue with your proposed change?
Chris Dumez
Comment 17 2019-11-16 16:23:57 PST
(In reply to John Wilander from comment #16) > (In reply to John Wilander from comment #15) > > (In reply to Chris Dumez from comment #14) > > > Comment on attachment 383709 [details] > > > Proposed patch addressing Chris's comments > > > > > > View in context: > > > https://bugs.webkit.org/attachment.cgi?id=383709&action=review > > > > > > > Source/WebKit/NetworkProcess/NetworkSession.cpp:134 > > > > + if (auto* storageSession = networkStorageSession()) > > > > > > Could this be move to the top of the method to avoid the duplication? > > > > > > ASSERT(!m_isInvalidated); > > > if (auto* storageSession = networkStorageSession()) > > > storageSession->setResourceLoadStatisticsEnabled(enable); > > > > Yes. Will fix before sending to branch integrators. Thanks for the review! > > Or wait, now I remember why I had it in two places - to guarantee that the > ITP object has been created before I tell the storage session that ITP is > on. Do you think that'll cause an issue with your proposed change? It is just setting a Boolean, the setter does not rely on the ITP object in any way (and cannot really since they live at different layers), so I think it would be fine. Why did you have concerns?
John Wilander
Comment 18 2019-11-16 16:27:04 PST
(In reply to Chris Dumez from comment #17) > (In reply to John Wilander from comment #16) > > (In reply to John Wilander from comment #15) > > > (In reply to Chris Dumez from comment #14) > > > > Comment on attachment 383709 [details] > > > > Proposed patch addressing Chris's comments > > > > > > > > View in context: > > > > https://bugs.webkit.org/attachment.cgi?id=383709&action=review > > > > > > > > > Source/WebKit/NetworkProcess/NetworkSession.cpp:134 > > > > > + if (auto* storageSession = networkStorageSession()) > > > > > > > > Could this be move to the top of the method to avoid the duplication? > > > > > > > > ASSERT(!m_isInvalidated); > > > > if (auto* storageSession = networkStorageSession()) > > > > storageSession->setResourceLoadStatisticsEnabled(enable); > > > > > > Yes. Will fix before sending to branch integrators. Thanks for the review! > > > > Or wait, now I remember why I had it in two places - to guarantee that the > > ITP object has been created before I tell the storage session that ITP is > > on. Do you think that'll cause an issue with your proposed change? > > It is just setting a Boolean, the setter does not rely on the ITP object in > any way (and cannot really since they live at different layers), so I think > it would be fine. Why did you have concerns? My concern was that the storage session would immediately start acting as if ITP is on.
John Wilander
Comment 19 2019-11-16 16:38:12 PST
I will keep this bug open until we have a revision for the branch patch landing.
Brent Fulgham
Comment 20 2019-11-18 12:28:52 PST
It looks like the patch was landed on the branch here: https://trac.webkit.org/r252549. Are you planning on landing this on Trunk (or creating a trunk-compatible patch?)
John Wilander
Comment 21 2019-11-18 12:57:48 PST
Resolved with https://trac.webkit.org/changeset/252549/webkit, as pointed out by Brent. I will land a fix in trunk in another Bugzilla bug.
David M
Comment 22 2019-11-20 09:12:13 PST
John, would you know if this will make it into 13.3 before GA? Thanks for the fix!
Brent Fulgham
Comment 23 2019-11-20 09:13:59 PST
(In reply to David M from comment #22) > John, would you know if this will make it into 13.3 before GA? Thanks for > the fix! We cannot comment on when a change will get into a production release. However, we recognize the importance of the change and view this as a regression from 13.2, so are treating it with high priority.
David M
Comment 24 2019-11-20 09:15:54 PST
Understood, thanks for the info and the help! Much appreciated!
Niklas Merz
Comment 25 2019-12-06 03:42:12 PST
I just did a quick test with iOS 13.3 Beta 4 and it look like the issue is resolved!
David M
Comment 26 2019-12-06 09:19:26 PST
Agreed, thanks to those that fixed this!
David M
Comment 27 2019-12-12 08:05:58 PST
FYI it appears as though this issue exists in the iOS 13.3 Simulator on the Mac with Xcode 11.3 (11C29)
John Wilander
Comment 28 2020-01-16 10:53:29 PST
*** Bug 206295 has been marked as a duplicate of this bug. ***
Niklas Merz
Comment 29 2020-06-23 03:03:42 PDT
I just tested this with iOS 14 developer beta. This is broken again. If I run the attached test project with Xcode 12 beta on an iPhone with iOS 14 I dpn't see the cors image. The latest iOS 13 still works as expected.
David Kilzer (:ddkilzer)
Comment 30 2020-06-23 05:29:11 PDT
(In reply to Niklas Merz from comment #29) > I just tested this with iOS 14 developer beta. This is broken again. > > If I run the attached test project with Xcode 12 beta on an iPhone with iOS > 14 I dpn't see the cors image. The latest iOS 13 still works as expected. Please file a new bug and relate this one!
David Kilzer (:ddkilzer)
Comment 31 2020-06-23 08:51:07 PDT
(In reply to John Wilander from comment #21) > Resolved with https://trac.webkit.org/changeset/252549/webkit, as pointed > out by Brent. I will land a fix in trunk in another Bugzilla bug. Was this fix ever ported to trunk, or did we forget to do that? (In reply to David Kilzer (:ddkilzer) from comment #30) > (In reply to Niklas Merz from comment #29) > > I just tested this with iOS 14 developer beta. This is broken again. > > > > If I run the attached test project with Xcode 12 beta on an iPhone with iOS > > 14 I dpn't see the cors image. The latest iOS 13 still works as expected. > > Please file a new bug and relate this one! Bug 213510: REGRESSION (iOS 14): WKWebView does not include cookies in cross-origin images
Note You need to log in before you can comment on or make changes to this bug.