Bug 236227

Summary: REGRESSION (Safari 15): Cookies set with sameSite=None are not sent on cross domain requests
Product: WebKit Reporter: Tiago Duarte <tmpduarte>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WONTFIX    
Severity: Normal CC: achristensen, wilander, youennf
Priority: P2 Keywords: Regression
Version: Safari 15   
Hardware: Mac (Apple Silicon)   
OS: macOS 12   
Attachments:
Description Flags
Subsequent request cookies after the cookie has been set none

Description Tiago Duarte 2022-02-07 04:02:13 PST
Created attachment 451077 [details]
Subsequent request cookies after the cookie has been set

I'm developing a react web app, and since I updated my Safari to v15 it stoped sending cookies with `sameSite=None` to different domains.

In particular, while I'm developing using localhost and sending requests to a remote server, the cookie is not sent.

The cookie is set like this:
```
Set-Cookie: _staging_app_key=XYZ.XYZXYZXYZXYZ; path=/; expires=Tue, 08 Feb 2022 11:40:36 GMT; max-age=86400; secure; HttpOnly; SameSite=None
```

But it is never sent in subsequent requests
Comment 1 John Wilander 2022-02-08 19:49:12 PST
(In reply to Tiago Duarte from comment #0)
> Created attachment 451077 [details]
> Subsequent request cookies after the cookie has been set
> 
> I'm developing a react web app, and since I updated my Safari to v15 it
> stoped sending cookies with `sameSite=None` to different domains.
> 
> In particular, while I'm developing using localhost and sending requests to
> a remote server, the cookie is not sent.
> 
> The cookie is set like this:
> ```
> Set-Cookie: _staging_app_key=XYZ.XYZXYZXYZXYZ; path=/; expires=Tue, 08 Feb
> 2022 11:40:36 GMT; max-age=86400; secure; HttpOnly; SameSite=None
> ```
> 
> But it is never sent in subsequent requests

Hi! Thanks for filing!

Cross-site, or third-party cookies have been blocked by default in Safari for two years: https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/

SameSite=none has never created an exception to third-party cookie blocking in Safari. It was mainly driven by the Chrome team since Chrome still allows third-party cookies by default.

If a third-party domain wants access to cookies, it should make use of the Storage Access API, explained under "How To Use the Storage Access API" here: https://webkit.org/blog/11545/updates-to-the-storage-access-api/