Bug 236227

Summary:

REGRESSION (Safari 15): Cookies set with sameSite=None are not sent on cross domain requests

Product:

WebKit

Reporter:

Tiago Duarte <tmpduarte>

Component:

New Bugs

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED WONTFIX

Severity:

Normal

CC:

achristensen, wilander, youennf

Priority:

Keywords:

Regression

Version:

Safari 15

Hardware:

Mac (Apple Silicon)

OS:

macOS 12

Attachments:

Description	Flags
Subsequent request cookies after the cookie has been set	none

Tiago Duarte

Reported 2022-02-07 04:02:13 PST

Created attachment 451077 [details] Subsequent request cookies after the cookie has been set I'm developing a react web app, and since I updated my Safari to v15 it stoped sending cookies with `sameSite=None` to different domains. In particular, while I'm developing using localhost and sending requests to a remote server, the cookie is not sent. The cookie is set like this: ``` Set-Cookie: _staging_app_key=XYZ.XYZXYZXYZXYZ; path=/; expires=Tue, 08 Feb 2022 11:40:36 GMT; max-age=86400; secure; HttpOnly; SameSite=None ``` But it is never sent in subsequent requests

Attachments
Subsequent request cookies after the cookie has been set (58.00 KB, image/png) 2022-02-07 04:02 PST, Tiago Duarte	no flags	Details
View All Add attachment proposed patch, testcase, etc.

John Wilander

Comment 1 2022-02-08 19:49:12 PST

(In reply to Tiago Duarte from comment #0) > Created attachment 451077 [details] > Subsequent request cookies after the cookie has been set > > I'm developing a react web app, and since I updated my Safari to v15 it > stoped sending cookies with `sameSite=None` to different domains. > > In particular, while I'm developing using localhost and sending requests to > a remote server, the cookie is not sent. > > The cookie is set like this: > ``` > Set-Cookie: _staging_app_key=XYZ.XYZXYZXYZXYZ; path=/; expires=Tue, 08 Feb > 2022 11:40:36 GMT; max-age=86400; secure; HttpOnly; SameSite=None > ``` > > But it is never sent in subsequent requests Hi! Thanks for filing! Cross-site, or third-party cookies have been blocked by default in Safari for two years: https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/ SameSite=none has never created an exception to third-party cookie blocking in Safari. It was mainly driven by the Chrome team since Chrome still allows third-party cookies by default. If a third-party domain wants access to cookies, it should make use of the Storage Access API, explained under "How To Use the Storage Access API" here: https://webkit.org/blog/11545/updates-to-the-storage-access-api/

Note You need to log in before you can comment on or make changes to this bug.