Bug 188073 - Same-Site cookies are not sent with same-origin redirect initiated from cross-origin navigation
Summary: Same-Site cookies are not sent with same-origin redirect initiated from cross...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Mac Unspecified
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-07-26 13:04 PDT by Daniel Bates
Modified: 2020-10-19 20:51 PDT (History)
2 users (show)

See Also:

Attachments
Layout tests (8.47 KB, patch)
2018-07-26 13:06 PDT, Daniel Bates 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bates 2018-07-26 13:04:11 PDT 
Let A, B be two registrable domains where A != B. Without loss of generality suppose that you load A/a1.html in the top-most frame and it redirects to B/b1.html that redirects to A/a2.html that redirects to A/a3.html. Then same-site cookies are never sent in the request to A/a3.html. But we should have sent same-site cookies in the request to A/a3.html because the request is same-site with A/a2.html, which initiated the load.
Comment 1 Radar WebKit Bug Importer 2018-07-26 13:04:37 PDT 
<rdar://problem/42635007>
Comment 2 Radar WebKit Bug Importer 2018-07-26 13:04:53 PDT 
<rdar://problem/42635005>
Comment 3 Daniel Bates 2018-07-26 13:06:51 PDT 
Created attachment 345860 [details]
Layout tests
Comment 4 jxtps435 2018-12-04 10:46:22 PST 
This bug is breaking our federated login. 

We have a somewhat tricky federated login setup between two trusted sites, and since Safari 12 there's a cookie not being sent with the last request - presumably due to ITP 2.0. 

Site A.example uses site B.example for federated login. Both sites are owned by the same entity, and know / trust each other (but not other sites) via shared secrets, and have split responsibilities - some account management is done on site A, some on site B (we have many sites A, this is to be able to reuse the functionality on B). 

The sequence is as follows: 

A.example renders page containing iframe from B.example (cookies not used or necessary). Form in this iframe has target=_top and action=B.example/login. User submits the form. 

B.example/login authenticates the login, sets a session cookie, and redirects to A.example/login?token=xyz 

A.example/login?token=xyz authenticates the login, sets a session cookie, and redirects to A.example/hello

A.example/hello expected the session cookie to be sent, but it isn't => looks like the user isn't logged in. <-- THIS IS THE CHANGE IN BEHAVIOR FROM PREVIOUS VERSIONS OF SAFARI.  

The user is terribly confused and either gives up or contacts support. 

If the user reloads A.example/hello or clicks a link on that page, the session cookie is sent => now it looks like the user is logged in. Even more confusing. 


Presumably this is due to ITP 2.0 (or similar functionality) blocking the cookie since it probably looks like a tracking scenario to that code - the user is logged in to both sites, so the ability to track is certainly there. 


Please include the session cookie when an eTLD redirects to itself (e.g. A.example/login?token=xyz redirecting to A.example/hello). It's totally fine if only cookies set in the redirecting action (A.example/login?token=xyz) are included.
Comment 5 jxtps435 2018-12-04 10:49:38 PST 
Note that this does not reproduce when A.example is localhost - for some reason it only happens with "real" domains (or over https?)
Comment 6 jxtps435 2018-12-04 10:52:06 PST 
It looks like the tests added in https://bugs.webkit.org/show_bug.cgi?id=185235 are insufficient since they use localhost.
Comment 7 Daniel Bates 2018-12-04 11:01:00 PST 
This needs to be fixed in CFNetwork. This work is tracked in <rdar://problem/42097136>. Keeping this bug open to add tests.