Bug 175934 - Third-party cookies shared when requesting video content
Summary: Third-party cookies shared when requesting video content
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Media (show other bugs)
Version: WebKit Nightly Build
Hardware: Mac macOS 10.12
: P2 Normal
Assignee: Nobody
URL: https://tedpiotrowski.svbtle.com/brok...
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-08-24 06:54 PDT by teddyp
Modified: 2019-06-16 21:22 PDT (History)
6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description teddyp 2017-08-24 06:54:54 PDT 
To reproduce:
1. Under privacy settings choose:
   -Allow from current website only OR Allow from websites I visit
2. Confirm third-party cookies are disabled by visiting: https://alanhogan.github.io/web-experiments/3rd/third-party-cookies.html
3. Create a page on domain1.com that embeds a <video src="http://domain2.com"> and notice that domain2.com Cookies are sent with the request. 
   This behavior differs from both Firefox and Chrome which deny the cookies being sent.

Correct behavior:
domain2.com Cookies should not be sent.

I've documented a real world scenario in this blogpost: https://tedpiotrowski.svbtle.com/broken-video-attachments-in-gmail

My apologies if this behavior is intentional to prevent user pain/confusion.
Comment 1 Radar WebKit Bug Importer 2017-08-25 18:11:01 PDT 
<rdar://problem/34093740>