RESOLVED CONFIGURATION CHANGED 210612
Download Linked File does not provide cookie if SameSite=Lax 
https://bugs.webkit.org/show_bug.cgi?id=210612
Summary Download Linked File does not provide cookie if SameSite=Lax
Sam Ottenhoff
Reported 2020-04-16 10:52:21 PDT
Observed by educational institutions using learning management software (LMS) with Safari 13.1 on macOS 10.15.4. All users must authenticate to the system. Session state is maintained via a cookie with "SameSite=Lax;Secure". Instructors upload files like syllabus.pdf and user must be authenticated to download the file. User cannot download syllabus.pdf via "Download Linked File" as the SameSite=Lax cookie is not presented to the server. Proof of concept here: https://samesite.longsight.com/index.php. Reload after first view and the cookies presented to server will be displayed. Use "Download Linked File" and view as text to see what cookies (none) were sent to server. This is same domain only, HTTPS only, and a very common use case in an authenticated learning management system.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-04-17 12:49:15 PDT
<rdar://problem/61946588>
Alex Christensen
Comment 2 2020-05-15 16:42:36 PDT
Thank you for reporting this. Your proof of concept uses SameSite=Strict, not SameSite=Lax, but it led me to a good fix. SameSite=Strict cookies were indeed not being sent. Unfortunately, you won't see the fix here because the problematic code is not in open source WebKit. If you're really enthusiastic about this bug, could you verify that the bug does not reproduce on iOS, and that the bug is fixed in an upcoming Safari Technology Preview? I can't give you an exact time frame, but it's most likely that you'll see the fix there before anywhere else.
Sam Ottenhoff
Comment 3 2020-05-15 16:57:06 PDT
* I fixed my proof of concept to only send the Lax cookie. * I tested on iOS 13.4.1 Safari and both cookies (Strict and Lax) are sent as expected when using Download Linked File.
Alex Christensen
Comment 4 2020-05-15 21:10:21 PDT
Great! Using your updated proof of concept I verified that SameSite=Lax and SameSite=Secure cookies are both fixed by the same non-open-source fix.
Note You need to log in before you can comment on or make changes to this bug.