Bug 213120

Summary:	Cross-origin cookies aren't set in Safari on iOS/macOS and in WKWebView
Product:	WebKit	Reporter:	German <gprostmail>
Component:	New Bugs	Assignee:	Nobody <webkit-unassigned>
Status:	NEW
Severity:	Major	CC:	katherine_cheney, webkit-bug-importer, wilander
Priority:	P2	Keywords:	InRadar
Version:	Safari 13
Hardware:	All
OS:	All

German

Reported 2020-06-12 04:30:02 PDT

I'm not sure if that's a regression of https://bugs.webkit.org/show_bug.cgi?id=200857 and https://bugs.webkit.org/show_bug.cgi?id=204109 or not... Cookies are just ignored and aren't sent in requests. Works fine for cross-subdomain requests like between one.myhost.com and two.myhost.com but doesn't work between fully different domains like one.myhost.com and some.other.org. BTW, I only checked that it doesn't work for sites that have different TLDs, not sure if the bug applies to sites with equal TLDs but different SLDs I can reproduce it in Safari and Safari TP on macOS X 10.15.5 and in Safari and WKWebView on iOS 13.5.1

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2020-06-14 19:45:57 PDT

<rdar://problem/64348252>

John Wilander

Comment 2 2020-06-15 11:06:32 PDT

Hi! Thanks for filing! (In reply to German from comment #0) > I'm not sure if that's a regression of > https://bugs.webkit.org/show_bug.cgi?id=200857 and > https://bugs.webkit.org/show_bug.cgi?id=204109 or not... > Cookies are just ignored and aren't sent in requests. Safari blocks all third party cookies by default as part of its Intelligent Tracking Prevention feature (ITP) since our release in March: https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/ > Works fine for cross-subdomain requests like between one.myhost.com and > two.myhost.com but doesn't work between fully different domains like > one.myhost.com and some.other.org. > BTW, I only checked that it doesn't work for sites that have different TLDs, > not sure if the bug applies to sites with equal TLDs but different SLDs > > I can reproduce it in Safari and Safari TP on macOS X 10.15.5 and in Safari > and WKWebView on iOS 13.5.1 WKWebView should not be seeing the same behavior since ITP is not enabled for it.

German

Comment 3 2020-06-15 11:40:31 PDT

Thanks for the reply, John Wilander! > WKWebView should not be seeing the same behavior since ITP is not enabled for it. Hmm, there is one peculiar thing I noticed. Cross-domain cookies aren't used in the requests until I hard close/open the app. If I delete the app and then re-install it cookies don't work again until I hard close/open the app. This is the flow in our app: 1. Sign in using a cross-domain URL (cookies are set for this domain now) 2. Send requests to this domain now to get/modify resources (works only after you hard close-open the app and sign-in again). We use Cordova.

Note You need to log in before you can comment on or make changes to this bug.