196375 – Safari (still) doesn't send Lax cookies after a cross-site redirection

Flávio Juvenal (fjsj)

Reported 2019-03-28 15:10:31 PDT

Safari doesn't send Lax cookies after a cross-site redirection. This breaks very common web application workflows, like clicking a tracker link on GMail. Even though this seems related to #188165 and to #194906, please check this, as the problem still happens in MacOS 10.14.4 and iOS 12.2. Simple steps to reproduce: - Open https://safari-samesite-issue.herokuapp.com/target/ to set some Lax cookies - Open https://safari-samesite-issue-other.herokuapp.com/redirect/ - Note that domain is different. That site performs a CROSS-SITE REDIRECT to https://safari-samesite-issue.herokuapp.com/target/ - Check that cookies set by /target/ aren't sent after /redirect/ Detailed steps to reproduce: - Open https://safari-samesite-issue.herokuapp.com/target/ - If it's your first visit, you should see something like: request.session.session_key: None request.session['obj']: a916f354195a4a45b6933ef41b26bdda request.META['CSRF_COOKIE']: CSRF cookie (from JS): NHaGQEiZ0PofLDqOG0vgYi7mD4kpBFvcEsxRQdLssjpaxG6hKixjT8iKaIOAau2g - What we're seeing above is: * those values are related to two cookies, sessionid and csrftoken. Both have the flag SameSite: Lax * request.session.session_key is None because request was sent without a sessionid cookie, since it was the first request * request.session['obj'] shows a value because that was set into the session whose sessionid cookie was set by the response * request.META['CSRF_COOKIE'] is empty because request was sent without a csrftoken cookie, since it was the first request * CSRF cookie (from JS) shows a value because the csrftoken cookie was set by the response - Refresh https://safari-samesite-issue.herokuapp.com/target/ and you'll see values for request.session.session_key and request.META['CSRF_COOKIE'], meaning their cookies were well set - Go to https://safari-samesite-issue-other.herokuapp.com/redirect/ - Note that domain is different. That site performs a CROSS-SITE REDIRECT to https://safari-samesite-issue.herokuapp.com/target/ - Now, at the same URL we first saw, we see something like: request.session.session_key: None request.session['obj']: 5a0d196943c6447582720cc1582bdb61 request.META['CSRF_COOKIE']: CSRF cookie (from JS): null - That's wrong. Lax cookies should be sent after a cross-site redirection. Other browsers don't behave that way. Tested on Chrome and Firefox for Mac. - Issue seems even more serious because not only Safari doesn't send the cookies after the redirect, but it also can't read the cookies set by the response after the redirect. That's why "CSRF cookie (from JS)" is null. Safari versions tested: - BROKEN on MacOS 10.14.4 (18E226), Safari 12.1 (14607.1.40.1.4) - BROKEN on iOS 12.2 - FIXED on Safari Technology Preview Release 77 (Safari 12.2, WebKit 14608.1.7.3) - as stated before - FIXED on Safari Technology Preview Release 78 (Safari 12.2, WebKit 14608.1.9.1) Steps to reproduce (other issue?). A similar problem that happens only on iOS 12.2, but not on MacOS 10.14.4: - Open GMail - Send a email to yourself with the following link on body https://safari-samesite-issue.herokuapp.com/target/ - Note the link above is /target/ directly, not a cross-domain redirection... - ...but GMail adds it's own tracker link at onclick, so redirect happens from https://www.google.com/url?q=... - When you reach /target/, you'll see empty values for request.session.session_key and request.META['CSRF_COOKIE'], meaning again that Lax cookies weren't sent Workaround for both problems described above: - Don't use SameSite: Lax. Remove SameSite attribute from your cookies. Application code available at: https://github.com/vintasoftware/safari-samesite-cookie-issue Possibly related issues: - "Same Site Lax cookies are not sent with cross-site redirect from client-initiated load" - https://bugs.webkit.org/show_bug.cgi?id=194906 - "iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication" - https://bugs.webkit.org/show_bug.cgi?id=188165 - "Microsoft Security Advisory: iOS12 breaks social, WSFed and OIDC logins #318" - https://github.com/aspnet/Announcements/issues/318 - "Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default" - https://code.djangoproject.com/ticket/30250 - "Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave" - https://code.djangoproject.com/ticket/29975 - "Safari 12 redirects back to /accounts/login" - https://github.com/IronCountySchoolDistrict/django-python3-saml/issues/1 - (Despite the link aboving says ITP is related, it doesn't seem to be. Even disabling it, issue is persistent)

Chris Dumez

Comment 1 2019-03-28 15:16:28 PDT

- FIXED on Safari Technology Preview Release 77 (Safari 12.2, WebKit 14608.1.7.3) - as stated before - FIXED on Safari Technology Preview Release 78 (Safari 12.2, WebKit 14608.1.9.1) So this has already been fixed? If so, why the bug report?

Chris Dumez

Comment 2 2019-03-28 15:18:59 PDT

(In reply to Chris Dumez from comment #1) > - FIXED on Safari Technology Preview Release 77 (Safari 12.2, WebKit > 14608.1.7.3) - as stated before > - FIXED on Safari Technology Preview Release 78 (Safari 12.2, WebKit > 14608.1.9.1) > > So this has already been fixed? If so, why the bug report? Personally, I get: request.session.session_key: jzk0evlci0c5lq3v174ti02g7zlp6kxj On first link. and request.session.session_key: jzk0evlci0c5lq3v174ti02g7zlp6kxj On second link. Seems fine, no?

Flávio Juvenal (fjsj)

Comment 3 2019-03-28 15:24:53 PDT

Chris Dumez, I've described this issue at #188165, Alexey Proskuryakov asked me to "file a new bug, with complete steps to reproduce" and a live site. That's what I did here. Alexey also believed issue should be fixed in iOS 12.2 and macOS 10.14.4, but it isn't (or at least isn't in non-beta version). Also, check John Wilander comment 45: https://bugs.webkit.org/show_bug.cgi?id=188165#c45 Are you testing on Safari 12.1 (not Technology Preview)?

Chris Dumez

Comment 4 2019-03-28 15:29:50 PDT

(In reply to Flávio Juvenal (fjsj) from comment #3) > Chris Dumez, I've described this issue at #188165, Alexey Proskuryakov asked > me to "file a new bug, with complete steps to reproduce" and a live site. > That's what I did here. Alexey also believed issue should be fixed in iOS > 12.2 and macOS 10.14.4, but it isn't (or at least isn't in non-beta > version). Also, check John Wilander comment 45: > https://bugs.webkit.org/show_bug.cgi?id=188165#c45 > > Are you testing on Safari 12.1 (not Technology Preview)? The odd thing is that the fix was apparently in CFNetwork, not WebKit/Safari. Therefore, I would not expect different behavior with Safari Technology Preview and System Safari from macOS 10.14.4.

Chris Dumez

Comment 5 2019-03-28 15:31:19 PDT

(In reply to Chris Dumez from comment #4) > (In reply to Flávio Juvenal (fjsj) from comment #3) > > Chris Dumez, I've described this issue at #188165, Alexey Proskuryakov asked > > me to "file a new bug, with complete steps to reproduce" and a live site. > > That's what I did here. Alexey also believed issue should be fixed in iOS > > 12.2 and macOS 10.14.4, but it isn't (or at least isn't in non-beta > > version). Also, check John Wilander comment 45: > > https://bugs.webkit.org/show_bug.cgi?id=188165#c45 > > > > Are you testing on Safari 12.1 (not Technology Preview)? > > The odd thing is that the fix was apparently in CFNetwork, not > WebKit/Safari. Therefore, I would not expect different behavior with Safari > Technology Preview and System Safari from macOS 10.14.4. Interesting, I was testing on a more recent OS build as it was working. I have confirmed that it indeed does not work as expected on macOS 10.14.4 with System Safari.

Chris Dumez

Comment 6 2019-03-28 15:33:15 PDT

(In reply to Chris Dumez from comment #5) > (In reply to Chris Dumez from comment #4) > > (In reply to Flávio Juvenal (fjsj) from comment #3) > > > Chris Dumez, I've described this issue at #188165, Alexey Proskuryakov asked > > > me to "file a new bug, with complete steps to reproduce" and a live site. > > > That's what I did here. Alexey also believed issue should be fixed in iOS > > > 12.2 and macOS 10.14.4, but it isn't (or at least isn't in non-beta > > > version). Also, check John Wilander comment 45: > > > https://bugs.webkit.org/show_bug.cgi?id=188165#c45 > > > > > > Are you testing on Safari 12.1 (not Technology Preview)? > > > > The odd thing is that the fix was apparently in CFNetwork, not > > WebKit/Safari. Therefore, I would not expect different behavior with Safari > > Technology Preview and System Safari from macOS 10.14.4. > > Interesting, I was testing on a more recent OS build as it was working. I > have confirmed that it indeed does not work as expected on macOS 10.14.4 > with System Safari. And it works with Trunk WebKit on macOS 10.14.4. So there is definitely a fix in WebKit that's needed.

John Wilander

Comment 7 2019-03-28 15:34:42 PDT

Dan Bates was the WebKit engineer working on this.

Chris Dumez

Comment 8 2019-03-28 15:36:13 PDT

(In reply to Chris Dumez from comment #6) > (In reply to Chris Dumez from comment #5) > > (In reply to Chris Dumez from comment #4) > > > (In reply to Flávio Juvenal (fjsj) from comment #3) > > > > Chris Dumez, I've described this issue at #188165, Alexey Proskuryakov asked > > > > me to "file a new bug, with complete steps to reproduce" and a live site. > > > > That's what I did here. Alexey also believed issue should be fixed in iOS > > > > 12.2 and macOS 10.14.4, but it isn't (or at least isn't in non-beta > > > > version). Also, check John Wilander comment 45: > > > > https://bugs.webkit.org/show_bug.cgi?id=188165#c45 > > > > > > > > Are you testing on Safari 12.1 (not Technology Preview)? > > > > > > The odd thing is that the fix was apparently in CFNetwork, not > > > WebKit/Safari. Therefore, I would not expect different behavior with Safari > > > Technology Preview and System Safari from macOS 10.14.4. > > > > Interesting, I was testing on a more recent OS build as it was working. I > > have confirmed that it indeed does not work as expected on macOS 10.14.4 > > with System Safari. > > And it works with Trunk WebKit on macOS 10.14.4. So there is definitely a > fix in WebKit that's needed. I am working on bisecting which Webkit change fixed this.

Chris Dumez

Comment 9 2019-03-28 15:52:54 PDT

(In reply to Chris Dumez from comment #8) > (In reply to Chris Dumez from comment #6) > > (In reply to Chris Dumez from comment #5) > > > (In reply to Chris Dumez from comment #4) > > > > (In reply to Flávio Juvenal (fjsj) from comment #3) > > > > > Chris Dumez, I've described this issue at #188165, Alexey Proskuryakov asked > > > > > me to "file a new bug, with complete steps to reproduce" and a live site. > > > > > That's what I did here. Alexey also believed issue should be fixed in iOS > > > > > 12.2 and macOS 10.14.4, but it isn't (or at least isn't in non-beta > > > > > version). Also, check John Wilander comment 45: > > > > > https://bugs.webkit.org/show_bug.cgi?id=188165#c45 > > > > > > > > > > Are you testing on Safari 12.1 (not Technology Preview)? > > > > > > > > The odd thing is that the fix was apparently in CFNetwork, not > > > > WebKit/Safari. Therefore, I would not expect different behavior with Safari > > > > Technology Preview and System Safari from macOS 10.14.4. > > > > > > Interesting, I was testing on a more recent OS build as it was working. I > > > have confirmed that it indeed does not work as expected on macOS 10.14.4 > > > with System Safari. > > > > And it works with Trunk WebKit on macOS 10.14.4. So there is definitely a > > fix in WebKit that's needed. > > I am working on bisecting which Webkit change fixed this. Fails: r241775 Works: r241964 I am having issues with the builds in between :/

Chris Dumez

Comment 10 2019-03-28 15:56:28 PDT

(In reply to Chris Dumez from comment #9) > (In reply to Chris Dumez from comment #8) > > (In reply to Chris Dumez from comment #6) > > > (In reply to Chris Dumez from comment #5) > > > > (In reply to Chris Dumez from comment #4) > > > > > (In reply to Flávio Juvenal (fjsj) from comment #3) > > > > > > Chris Dumez, I've described this issue at #188165, Alexey Proskuryakov asked > > > > > > me to "file a new bug, with complete steps to reproduce" and a live site. > > > > > > That's what I did here. Alexey also believed issue should be fixed in iOS > > > > > > 12.2 and macOS 10.14.4, but it isn't (or at least isn't in non-beta > > > > > > version). Also, check John Wilander comment 45: > > > > > > https://bugs.webkit.org/show_bug.cgi?id=188165#c45 > > > > > > > > > > > > Are you testing on Safari 12.1 (not Technology Preview)? > > > > > > > > > > The odd thing is that the fix was apparently in CFNetwork, not > > > > > WebKit/Safari. Therefore, I would not expect different behavior with Safari > > > > > Technology Preview and System Safari from macOS 10.14.4. > > > > > > > > Interesting, I was testing on a more recent OS build as it was working. I > > > > have confirmed that it indeed does not work as expected on macOS 10.14.4 > > > > with System Safari. > > > > > > And it works with Trunk WebKit on macOS 10.14.4. So there is definitely a > > > fix in WebKit that's needed. > > > > I am working on bisecting which Webkit change fixed this. > > Fails: r241775 > Works: r241964 > > I am having issues with the builds in between :/ Looking at the commits, it is very likely fixed by: https://trac.webkit.org/changeset/241918/webkit

Chris Dumez

Comment 11 2019-03-28 15:56:42 PDT

*** This bug has been marked as a duplicate of bug 194906 ***

Flávio Juvenal (fjsj)

Comment 12 2019-03-29 08:33:41 PDT

Chris, thanks for the quick response to this issue. Have you checked if the other "Steps to reproduce (other issue?)" I listed above is also fixed by Changeset 241918? It affects only iOS, AFAIK.

Chris Dumez

Comment 13 2019-03-29 08:43:18 PDT

(In reply to Flávio Juvenal (fjsj) from comment #12) > Chris, thanks for the quick response to this issue. Have you checked if the > other "Steps to reproduce (other issue?)" I listed above is also fixed by > Changeset 241918? It affects only iOS, AFAIK. Oh, I haven't. I'll check later today and comment again.

Chris Dumez

Comment 14 2019-03-29 09:02:45 PDT

(In reply to Chris Dumez from comment #13) > (In reply to Flávio Juvenal (fjsj) from comment #12) > > Chris, thanks for the quick response to this issue. Have you checked if the > > other "Steps to reproduce (other issue?)" I listed above is also fixed by > > Changeset 241918? It affects only iOS, AFAIK. > > Oh, I haven't. I'll check later today and comment again. I have just tried your steps for "other issue" and they do not reproduce an issue for me, even on macOS 10.14.4. I assume this other issue could have been Bug 188165 which got fixed in macOS 10.14.4. Can you really reproduce on macOS 10.14.4?

Flávio Juvenal (fjsj)

Comment 15 2019-03-29 09:04:56 PDT

No, they're reproducible in iOS 12.2. Does iOS 12.2 already contains the fix for Bug 188165?

Chris Dumez

Comment 16 2019-03-29 09:07:28 PDT

(In reply to Flávio Juvenal (fjsj) from comment #15) > No, they're reproducible in iOS 12.2. Does iOS 12.2 already contains the fix > for Bug 188165? Oh, I have not tried iOS 12.2. And yes, the CFNetwork fix for Bug 188165 is supposed to have shipped in iOS 12.2, it is definitely surprising it would reproduce there. I'll try and do some iOS testing today.

Chris Dumez

Comment 17 2019-03-29 09:50:35 PDT

(In reply to Chris Dumez from comment #16) > (In reply to Flávio Juvenal (fjsj) from comment #15) > > No, they're reproducible in iOS 12.2. Does iOS 12.2 already contains the fix > > for Bug 188165? > > Oh, I have not tried iOS 12.2. And yes, the CFNetwork fix for Bug 188165 is > supposed to have shipped in iOS 12.2, it is definitely surprising it would > reproduce there. > I'll try and do some iOS testing today. Does not reproduce for me on iOS 12.2 either.

Flávio Juvenal (fjsj)

Comment 18 2019-03-29 12:01:11 PDT

Created attachment 366289 [details] iOS 12.2 in-app Safari Lax cookies issue Chris, I've attached a video with the reproduction for the iOS-only problem. It only happens on GMail with in-app Safari browser. I know that cookies aren't shared between Safari and GMail's webview, but the issue is that the webview doesn't seem to be able to set any Lax cookies. The video above tests the site https://safari-samesite-issue.herokuapp.com/target/ which uses Lax cookies. Test with that link, it won't work. Afterwards, test with https://safari-issue-samesite-no-lax.herokuapp.com/target/, which doesn't use Lax cookies. It'll work.

Chris Dumez

Comment 19 2019-03-29 12:05:19 PDT

(In reply to Flávio Juvenal (fjsj) from comment #18) > Created attachment 366289 [details] > iOS 12.2 in-app Safari Lax cookies issue > > Chris, I've attached a video with the reproduction for the iOS-only problem. > It only happens on GMail with in-app Safari browser. > > I know that cookies aren't shared between Safari and GMail's webview, but > the issue is that the webview doesn't seem to be able to set any Lax cookies. > > The video above tests the site > https://safari-samesite-issue.herokuapp.com/target/ > which uses Lax cookies. Test with that link, it won't work. Afterwards, test > with https://safari-issue-samesite-no-lax.herokuapp.com/target/, which > doesn't use Lax cookies. It'll work. I need to try with the Gmail app, I had tried with Gmail.com in MobileSafari earlier.

Chris Dumez

Comment 20 2019-03-29 12:33:59 PDT

(In reply to Chris Dumez from comment #19) > (In reply to Flávio Juvenal (fjsj) from comment #18) > > Created attachment 366289 [details] > > iOS 12.2 in-app Safari Lax cookies issue > > > > Chris, I've attached a video with the reproduction for the iOS-only problem. > > It only happens on GMail with in-app Safari browser. > > > > I know that cookies aren't shared between Safari and GMail's webview, but > > the issue is that the webview doesn't seem to be able to set any Lax cookies. > > > > The video above tests the site > > https://safari-samesite-issue.herokuapp.com/target/ > > which uses Lax cookies. Test with that link, it won't work. Afterwards, test > > with https://safari-issue-samesite-no-lax.herokuapp.com/target/, which > > doesn't use Lax cookies. It'll work. > > I need to try with the Gmail app, I had tried with Gmail.com in MobileSafari > earlier. Ok, I was able to reproduce the issue on iOS 12.2 using the Gmail app. I have confirmed that r241900 fails and r241920 works. It is therefore extremely likely that this was fixed by https://trac.webkit.org/changeset/241918/webkit and that the iOS issue you're seeing is a dupe of bug 194906 as well.

Flávio Juvenal (fjsj)

Comment 21 2019-03-29 12:54:49 PDT

Good to know, thanks. Does that mean the next minor version update should fix this or that's hard to say?

Chris Dumez

Comment 22 2019-03-29 12:56:27 PDT

(In reply to Flávio Juvenal (fjsj) from comment #21) > Good to know, thanks. Does that mean the next minor version update should > fix this or that's hard to say? Sorry, I cannot comment on when a particular fix will ship to customers. This does seems like a bad bug though and I hope we can ship to customers sooner rather than later.

Attachments
iOS 12.2 in-app Safari Lax cookies issue (5.74 MB, video/mp4) 2019-03-29 12:01 PDT, Flávio Juvenal (fjsj)	no flags	Details
View All Add attachment proposed patch, testcase, etc.