179348 – "Allow from websites I visit" privacy setting strips cookies from 302 redirects on <video>

RESOLVED WONTFIX179348

"Allow from websites I visit" privacy setting strips cookies from 302 redirects on <video>

https://bugs.webkit.org/show_bug.cgi?id=179348

Summary "Allow from websites I visit" privacy setting strips cookies from 302 redirec...

Jeremy Selier

Reported 2017-11-06 16:01:02 PST

Similar to this old bug: https://bugs.webkit.org/show_bug.cgi?id=139683 1. Load website at foo.com 2. Website creates a <video> and points to bar.com in src. 3. bar.com does a 302 redirect to bar.com/somethingelse with a set-cookie Expected: set-cookie is indeed set on redirect Actual: set-cookie is not set on bar.com/somethingelse query If I change my setting to "Always allow". It works fine. Also checked same code in latest iOS on iPhone and it also fail there. The interesting part is that if I open bar.com in a new tab, the set-cookie is properly set on redirect to bar.com/somethingelse All others browsers tested work fine. Let me know if you need a repro case.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2017-11-08 19:21:56 PST

<rdar://problem/35433037>

Jeremy Selier

Comment 2 2017-11-08 19:25:25 PST

Looking into this more, I believe that this may working as intended with Safari specific cookie privacy setting. Feel free to close if that's the case.

Jer Noble

Comment 3 2017-11-08 23:44:59 PST

(In reply to Jeremy Selier from comment #0) > Similar to this old bug: https://bugs.webkit.org/show_bug.cgi?id=139683 > > 1. Load website at foo.com > 2. Website creates a <video> and points to bar.com in src. > 3. bar.com does a 302 redirect to bar.com/somethingelse with a set-cookie > > Expected: set-cookie is indeed set on redirect > Actual: set-cookie is not set on bar.com/somethingelse query Yes, this in behaving as intended. Responses from bar.com in a foo.com context can't set cookies. You'll find the same behavior with <img src="http://bar.com/somethingelse">. > If I change my setting to "Always allow". It works fine. Also checked same > code in latest iOS on iPhone and it also fail there. > The interesting part is that if I open bar.com in a new tab, the set-cookie > is properly set on redirect to bar.com/somethingelse This is also behaving as intended; you've visited bar.com in a first-party context, so subsequent requests in a third-party context will be allowed to set and read cookies (for a while, until Intelligent Tracking Protection kicks in). > All others browsers tested work fine. Let me know if you need a repro case.

Jer Noble

Comment 4 2017-11-08 23:45:58 PST

(In reply to Jeremy Selier from comment #2) > Looking into this more, I believe that this may working as intended with > Safari specific cookie privacy setting. Feel free to close if that's the > case. Will do.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution WONTFIX

Priority P2

Severity Normal

Classification Unclassified

Version Safari 11

Hardware Mac

OS macOS 10.12

Product WebKit

Component Platform

Assignee

Nobody

Reported

2017-11-06 16:01 PST

Modified

2017-11-08 23:45 PST History

CC List

6 users Show

URL

Keywords InRadar

Depends on

Blocks