Bug 200307 - SameSite Lax cookies aren't sent from tabs recovered from last Safari session when in scope of service workers
Summary: SameSite Lax cookies aren't sent from tabs recovered from last Safari session...
Status: RESOLVED DUPLICATE of bug 200345
Alias: None
Product: WebKit
Classification: Unclassified
Component: Service Workers (show other bugs)
Version: Safari Technology Preview
Hardware: All All
: P2 Major
Assignee: Nobody
Depends on:
Reported: 2019-07-31 10:10 PDT by Rafael
Modified: 2019-08-02 13:32 PDT (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Rafael 2019-07-31 10:10:12 PDT
Let there be a tab with a loaded web page which:

- contains a cookie with the SameSite bit set to "Lax"
- contains an active ServiceWorker proxying fetch requests

After killing the Safari app on iOS and reopening it, Safari will reload the tab.

During this reload the Lax cookie won't be sent in the requests to the server. If you refresh the page, even multiple times, the cookie will still not be sent.

If this cookie is a login cookie, the page will be show as if aren't logged in, resulting in a weird behavior for the user.

However, if you tap the address bar, make **no change** and tap go, navigating to the current page again, the cookie will be sent this time "fixing" the page.

I created a very simple and barebones demonstration of this bug:

- Bug reproduction website: https://rocky-fjord-97287.herokuapp.com/

- Source Code: https://github.com/xfalcox/safari-sw-samesite-bug

This bug affect the open source Forum software Discourse, and made me drop the offline browsing feature for Apple devices due to it.
Comment 1 Alexey Proskuryakov 2019-08-02 13:32:30 PDT
Looks like the same issue was filed separately a bit later, and that is already releted to a radar. Forward duping.

*** This bug has been marked as a duplicate of bug 200345 ***