| Summary: | REGRESSION (Safari 15): Cookies set with sameSite=None are not sent on cross domain requests | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Tiago Duarte <tmpduarte> | ||||
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> | ||||
| Status: | RESOLVED WONTFIX | ||||||
| Severity: | Normal | CC: | achristensen, wilander, youennf | ||||
| Priority: | P2 | Keywords: | Regression | ||||
| Version: | Safari 15 | ||||||
| Hardware: | Mac (Apple Silicon) | ||||||
| OS: | macOS 12 | ||||||
| Attachments: |
|
||||||
(In reply to Tiago Duarte from comment #0) > Created attachment 451077 [details] > Subsequent request cookies after the cookie has been set > > I'm developing a react web app, and since I updated my Safari to v15 it > stoped sending cookies with `sameSite=None` to different domains. > > In particular, while I'm developing using localhost and sending requests to > a remote server, the cookie is not sent. > > The cookie is set like this: > ``` > Set-Cookie: _staging_app_key=XYZ.XYZXYZXYZXYZ; path=/; expires=Tue, 08 Feb > 2022 11:40:36 GMT; max-age=86400; secure; HttpOnly; SameSite=None > ``` > > But it is never sent in subsequent requests Hi! Thanks for filing! Cross-site, or third-party cookies have been blocked by default in Safari for two years: https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/ SameSite=none has never created an exception to third-party cookie blocking in Safari. It was mainly driven by the Chrome team since Chrome still allows third-party cookies by default. If a third-party domain wants access to cookies, it should make use of the Storage Access API, explained under "How To Use the Storage Access API" here: https://webkit.org/blog/11545/updates-to-the-storage-access-api/ |
Created attachment 451077 [details] Subsequent request cookies after the cookie has been set I'm developing a react web app, and since I updated my Safari to v15 it stoped sending cookies with `sameSite=None` to different domains. In particular, while I'm developing using localhost and sending requests to a remote server, the cookie is not sent. The cookie is set like this: ``` Set-Cookie: _staging_app_key=XYZ.XYZXYZXYZXYZ; path=/; expires=Tue, 08 Feb 2022 11:40:36 GMT; max-age=86400; secure; HttpOnly; SameSite=None ``` But it is never sent in subsequent requests