Bug 306194

Summary:	Partitioned cookies (CHIPS) are dropped on return after multi-hop cross-site redirects
Product:	WebKit	Reporter:	kian
Component:	Page Loading	Assignee:	Nobody <webkit-unassigned>
Status:	NEW
Severity:	Normal	CC:	beidson, kian, m_finkel, webkit-bug-importer, wilander
Priority:	P2	Keywords:	InRadar
Version:	Safari 26
Hardware:	Unspecified
OS:	Unspecified

kian

Reported 2026-01-24 17:25:46 PST

Safari drops Partitioned cookies (SameSite=None; Secure; Partitioned) after a multi-hop cross-site redirect chain, even when the final navigation returns to the original top-level site. Non-partitioned cookies set at the same time are preserved. This breaks many OAuth / OIDC-style login flows that use partitioned cookies. I've created a minimal, self-contained reproduction using three domains. Source code and live demo are available: - GitHub repo: https://github.com/kiancross/safari-partitioned-cookie-bug-demo - Live demo: https://safari-partitioned-cookie-bug-demo.kiancross.workers.dev To reproduce: 1. Visit Domain A (start page). 2. Click "Start test". 3. Domain A: - Sets two cookies: np_cookie=np1; SameSite=None; Secure p_cookie=p1; SameSite=None; Secure; Partitioned - Responds with a 302 redirect to Domain B. 4. Domain B immediately 302s to Domain C. 5. Domain C immediately 302s back to Domain A (/return). 6. Domain A prints the incoming Cookie header. Expected Result: Both cookies set on Domain A (np_cookie and p_cookie) should be sent back to Domain A when the navigation returns. Actual Result: The non-partitioned cookie (np_cookie) is present. The partitioned cookie (p_cookie) is missing from the Cookie header on the return request. I have reproduced this reliably on Safari 26.2 for both MacOS and iOS.

Attachments
Add attachment proposed patch, testcase, etc.

kian

Comment 1 2026-01-24 17:27:05 PST

Additional Details: The issue only appears after multiple cross-site redirects (A -> B -> C -> A). A redirect chain involving only a single cross-site hop (A -> B -> B -> A) does not reproduce the problem. Pausing the redirect chain at Domain B (e.g., 200 OK response and explicit user interaction) then continuing the flow (A -> B (user input) -> C -> A), does not change the outcome. The critical step appears to be the final B -> C -> A redirect sequence. When pausing at Domain B, the cookies can be verified as present and correctly set (e.g., by opening Domain A in another tab). However, those same cookies are not sent to Domain A when returning via the final redirect chain. In the live demo I've provided, after arriving back at Domain A through the redirect chain, refreshing the page causes the partitioned cookies to appear as expected. Opening the live demo in Chrome shows the expected behaviour: both partitioned and non-partitioned cookies are sent on the return request.

kian

Comment 2 2026-01-24 19:28:34 PST

(I've also submitted this on Apple Feedback Assistant, as I suspect this might have been the wrong place to submit. If so, feel free to close this issue.)

Radar WebKit Bug Importer

Comment 3 2026-01-26 19:56:25 PST

<rdar://problem/168969702>

Alexey Proskuryakov

Comment 4 2026-01-28 17:23:13 PST

rdar://168850589

Note You need to log in before you can comment on or make changes to this bug.