RESOLVED INVALID137745
When in private mode, cookies in iFramed content are not set correctly 
https://bugs.webkit.org/show_bug.cgi?id=137745
Summary When in private mode, cookies in iFramed content are not set correctly
natenate
Reported 2014-10-15 11:32:09 PDT
I found this in Safari 7.1 and Webkit Nightly: Steps to repro: 1. Start or restart Webkit 2. Put Webkit into Private Browsing mode 3. Browse to http://run.plnkr.co/my0lgusP2UEYNTbL/ 4. Expect the text 'Cookie value is: CSRF-Token=is_this_set%3F' to be visible 5. !! Only see 'Cookie value is: '. Summary: The site loads a page, which includes iframed content. The iframed content should have access to a cookie value that is returned by the server (visible in headers) but is not available via Javascript. Some interesting other observations: * Sometimes this seems to happen in regular browsing mode, as well as private browsing * If you right click the iframe, and select "Open Frame in New Tab", the page will load and render the correct value. Bizarrely, if you then go back to http://run.plnkr.co/my0lgusP2UEYNTbL/ and refresh the page, the iframe will load with the correct value! * If the host is the same in the iframe and the parent frame, the issue is not reproducible: http://safe-everglades-1254.herokuapp.com/iframed
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2014-10-16 00:19:34 PDT
Martin, sounds like cookie accept policy may be incorrect in private browsing mode?
natenate
Comment 2 2014-10-16 13:37:28 PDT
It looks like my plnkr.co link died. I'll try to find a permalink.
natenate
Comment 3 2014-10-16 13:40:06 PDT
http://run.plnkr.co/plunks/b3IFwWieUdiMrjSk3CLW/ should work. Apologies for that.
Alexey Proskuryakov
Comment 4 2014-10-30 17:06:36 PDT
What is your cookie accept policy in Safari? With the default policy, a cross-origin subframe is not allowed to store cookies. I suspect that you have a non-default policy set in Safari preferences, and that using private browsing reverts that to default. If so, Safari/WebKit behavior seems incorrect, but I'd like to confirm that this is indeed what you are seeing. > * If you right click the iframe, and select "Open Frame in New Tab", the page will load and render the correct value. Bizarrely, if you then go back to http://run.plnkr.co/my0lgusP2UEYNTbL/ and refresh the page, the iframe will load with the correct value! Yes, this is expected for the default cookie policy - cross-origin subframes may not store cookies, but they can read existing ones.
natenate
Comment 5 2014-10-30 17:18:45 PDT
I never changed my cookie policy. This only happens when I'm browsing in private browsing mode.
Alexey Proskuryakov
Comment 6 2014-10-30 22:38:32 PDT
So, what is your cookie accept policy? You say that this only happens in private browsing mode for you, however I can reproduce perfectly well in non-private mode too. Please delete all cookies for safe-everglades-1254.herokuapp.com before re-testing.
natenate
Comment 7 2014-10-31 05:41:47 PDT
Is there a programmatic way to access the cookie policy, or do you just need to know what my settings are under the privacy tab for cookies? Happy to provide whatever information I can.
Alexey Proskuryakov
Comment 8 2014-10-31 10:19:55 PDT
> do you just need to know what my settings are under the privacy tab for cookies Yes, this is what I was asking about.
natenate
Comment 9 2014-11-03 11:47:13 PST
Ok, thanks Alexey. You're right, this is also happening when not in Private mode. Here's a screenshot of the settings I have in Safari 8, that also replicates the issue:http://imgur.com/ZJl8vht Thanks again.
Alexey Proskuryakov
Comment 10 2014-11-03 12:17:55 PST
Thank you very much for following up so promptly. Yes, this is the default cookie accept policy, which allows accepting cookies from the main frame, and also from subframes that already have some cookies associated with their domain. Closing as INVALID, as this is behaving as expected.
Note You need to log in before you can comment on or make changes to this bug.