Bug 228261

Summary: cookies with SameSite information are never sent for “unofficial” or new TLDs in iOS-12.x for non-toplevel requests
Product: WebKit Reporter: Nathan Phillip Brink (binki) <ohnobinki>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: ap
Priority: P2    
Version: Other   
Hardware: iPhone / iPad   
OS: Other   

Description Nathan Phillip Brink (binki) 2021-07-23 18:01:41 PDT 
In iOS-12.5.3, if I connect to a site with a name such as “blah.not-a-tld” (using a custom local DNS setup) and then issue cookies to Mobile Safari with any SameSite specified (for example, SameSite=Lax), then these cookies are only sent for toplevel requests. They are omitted from XHR.

I suspect that that version of Safari does not have r245299 which changes how areRegistrableDomainsEqual() handles domain names not in the hardcoded TLD list shipped with iOS. I suspect that, prior to r245299, the effective cookie site URI is the empty string. After that change, the effective cookie site will be the entire host (because of the domain.isEmpty() check added in registrableDomainFromHost() by that changeset).

To reproduce:

1. Produce a webserver issuing a header such as Set-Cookie: c=1; Path=/; SameSite=Lax such as with the following command: node -e "require('http').createServer((req, res) => {console.log(req.headers); res.writeHead(200, {'Set-Cookie': 'c=1; Path=/; HttpOnly; SameSite=Lax', 'Cache-Control': 'no-cache', 'Content-Type': 'text/html; charset=utf-8'}).end('<html>');}).listen(3000)"
2. Configure your network and iPod running iOS-12.5.3 (latest for iPod6) such that the host blah.not-a-tld resolves to your server. For example, add an entry the server’s /etc/hosts and run dnsmasq on the server and then set custom DNS servers pointing to your sever in your iPod’s network settings.
3. On the iPod, navigate to http://blah.not-a-tld:3000/.
4. Using Web Inspector from Safari Technology Preview on a Mac OS X machine, run fetch('http://blah.not-a-tld:3000/', { credentials: 'include', }) twice.

Expected results:

The second time the fetch is run, the request should send the cookie. This will be visible to the server and via Web Inspector.

Actual results:

The second time the fetch is run, the cookie is not sent.

If SameSite is removed entirely from the Set-Cookie header, the cookie is sent.

If top-level navigation is performed (e.g., reload the page or renavigate to it in Mobile Safari), the cookie is sent.

The problem is not reproducible in iOS-14.6.
Comment 1 Alexey Proskuryakov 2021-07-26 15:18:01 PDT 
Thank you for the report! Since this is not reproducible on a current version, I'm resolving this as Configuration Changed. There is no way for us to fix an issue back in the past.
Comment 2 Nathan Phillip Brink (binki) 2021-07-26 23:29:05 PDT 
Also affects iOS-12.5.4.