Bug 196592 - Cookies not sent with third party requests via XHR or iFrame
Summary: Cookies not sent with third party requests via XHR or iFrame
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Frames (show other bugs)
Version: Safari 12
Hardware: All All
: P2 Major
Assignee: Nobody
Keywords: InRadar
Depends on:
Reported: 2019-04-03 23:08 PDT by Sam Potts
Modified: 2019-04-04 17:32 PDT (History)
4 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Sam Potts 2019-04-03 23:08:17 PDT
Since Safari 12 we're seeing some strange issues with XHR requests which is effecting our SSO solution. Here's the flow we're using:

- User visits `my.example1.com` and logs in. 
- User is then SSO'd to `example2.com`.
- `example2.com` will render a keep alive script that makes a client side request to `my.example1.com/path/to/page` either via XHR or a hidden `<iframe>` (with the required `sandbox` attribute properties) on every page load or periodically to keep the session alive and check that the user is authenticated; either by the resultant JSON in the XHR or a postMessage in the `<iframe>` method
- If user logs out of `my.example1.com`, they are logged out of `example2.com`

This was working great using XHR until Safari 12; then suddenly the auth cookies were no longer sent with this request so the user appeared to be unauthenticated. We then implemented a hidden `<iframe>` solution where it would hit a URL that would send a postMessage to the parent indicating if the user was authenticated. This seemed to work fine until a recent update of Safari in macOS 10.14.4 and now the `<iframe>` is rendered to the DOM but does not appear to load or make the request at all and thus no message is received by the parent. Chrome and Firefox still seem ok with the XHR method. 

Ideally we'd like to use the XHR solution for all browsers to keep things simple. 

We're at a loss and all we're getting is customer complaints as they are booted out of `example2.com` instantly after being redirected. At the moment we're just steering users away from Safari as a result. I really doubt this is an uncommon pattern.
Comment 1 Radar WebKit Bug Importer 2019-04-04 15:00:59 PDT
Comment 2 Alex Christensen 2019-04-04 17:18:53 PDT
Could you give a link to a live site that reproduces this issue?  If you'd rather not post one here, feel free to email me one directly.
Comment 3 Sam Potts 2019-04-04 17:32:48 PDT
Sorry, I should have included something in my original email. I'll try and get a POC available for this.