Bug 291194

Summary:	REGRESSION(289693@main): [SOUP] iframe on same apex as parent can't access cookies
Product:	WebKit	Reporter:	Simon Knott <info>
Component:	WebKitGTK	Assignee:	Patrick Griffis <pgriffis>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	bugs-noreply, dpino, fujii.hironori, jonathan, max, mcatanzaro, pgriffis, yurys
Priority:	P2	Keywords:	DoNotImportToRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Linux

Simon Knott

Reported 2025-04-07 04:53:14 PDT

The child iframe can't access its parent cookies, even though it's on the same apex domain. This bug was introduced in c6414d5c4ed2fed77d0f485a1ff0a8621411c562...3e847b33c9aa193c4a1fc72e530dd3edaf4f11a2. # Repro ```js require('http').createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); if (req.headers.host === 'example.test') { res.setHeader('Set-Cookie', 'testCookie=value; SameSite=Lax; Domain=example.test'); res.end(` <p id="result"></p> <script>document.getElementById('result').textContent = document.cookie || 'no cookies';</script> <iframe src="http://sub.example.test"></iframe> `); } else if (req.headers.host === 'sub.example.test') { res.end(` <p id="result"></p> <script>document.getElementById('result').textContent = document.cookie || 'no cookies';</script> `); } else { res.statusCode = 404; res.end(); } }).listen(80); ``` ``` # add to /etc/hosts 127.0.0.1 example.test 127.0.0.1 sub.example.test ``` Open up `example.test`. I expect to see `testCookie=value` in both the parent and child frame. It actually shows `no cookies` in the child frame. Originally reported as https://github.com/microsoft/playwright/issues/35439.

Attachments
Add attachment proposed patch, testcase, etc.

Simon Knott

Comment 1 2025-04-07 04:54:08 PDT

This occurs only on Linux. I'm willing to work on a fix for this.

Fujii Hironori

Comment 2 2025-04-08 00:02:30 PDT

libsoup is used on Linux. not libcurl.

Max Schmitt

Comment 3 2025-04-09 08:21:02 PDT

Investigating: Looks like it only affects special domains like 'example.test' or 'example.test1'. Bisecting the change right now to see which patch caused it.

Max Schmitt

Comment 4 2025-04-10 03:49:05 PDT

- Bisected to https://github.com/webkit/webkit/commit/cb077473952d - Might be this check https://gitlab.gnome.org/GNOME/libsoup/-/blob/master/libsoup/cookies/soup-cookie-jar.c#L539 - Which checks https://gitlab.gnome.org/GNOME/libsoup/-/blob/master/libsoup/soup-tld.c#L163

Patrick Griffis

Comment 5 2025-04-10 07:15:28 PDT

Pull request: https://github.com/WebKit/WebKit/pull/43899

Patrick Griffis

Comment 6 2025-04-10 07:26:20 PDT

So that patch fixes this specific case. I do wonder though if WebKit is entirely correct to treat this as a third party domain. As you link libsoup already did too. That said other browsers do not block the cookie in this situation.

Patrick Griffis

Comment 7 2025-04-10 07:27:56 PDT

Actually WebKit on Apple platforms also do this, so I think its fine.

EWS

Comment 8 2025-04-10 12:57:13 PDT

Committed 293538@main (3f1d5e3400d4): <https://commits.webkit.org/293538@main> Reviewed commits have been landed. Closing PR #43899 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.