228261 – cookies with SameSite information are never sent for “unofficial” or new TLDs in iOS-12.x for non-toplevel requests

Bug 228261 - cookies with SameSite information are never sent for “unofficial” or new TLDs in iOS-12.x for non-toplevel requests

Summary: cookies with SameSite information are never sent for “unofficial” or new TLDs...

Status:	RESOLVED CONFIGURATION CHANGED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	Other
Hardware:	iPhone / iPad Other

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-07-23 18:01 PDT by Nathan Phillip Brink (binki)
Modified:	2021-07-26 23:29 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nathan Phillip Brink (binki) 2021-07-23 18:01:41 PDT

In iOS-12.5.3, if I connect to a site with a name such as “blah.not-a-tld” (using a custom local DNS setup) and then issue cookies to Mobile Safari with any SameSite specified (for example, SameSite=Lax), then these cookies are only sent for toplevel requests. They are omitted from XHR.

I suspect that that version of Safari does not have r245299 which changes how areRegistrableDomainsEqual() handles domain names not in the hardcoded TLD list shipped with iOS. I suspect that, prior to r245299, the effective cookie site URI is the empty string. After that change, the effective cookie site will be the entire host (because of the domain.isEmpty() check added in registrableDomainFromHost() by that changeset).

To reproduce:

1. Produce a webserver issuing a header such as Set-Cookie: c=1; Path=/; SameSite=Lax such as with the following command: node -e "require('http').createServer((req, res) => {console.log(req.headers); res.writeHead(200, {'Set-Cookie': 'c=1; Path=/; HttpOnly; SameSite=Lax', 'Cache-Control': 'no-cache', 'Content-Type': 'text/html; charset=utf-8'}).end('<html>');}).listen(3000)"
2. Configure your network and iPod running iOS-12.5.3 (latest for iPod6) such that the host blah.not-a-tld resolves to your server. For example, add an entry the server’s /etc/hosts and run dnsmasq on the server and then set custom DNS servers pointing to your sever in your iPod’s network settings.
3. On the iPod, navigate to http://blah.not-a-tld:3000/.
4. Using Web Inspector from Safari Technology Preview on a Mac OS X machine, run fetch('http://blah.not-a-tld:3000/', { credentials: 'include', }) twice.

Expected results:

The second time the fetch is run, the request should send the cookie. This will be visible to the server and via Web Inspector.

Actual results:

The second time the fetch is run, the cookie is not sent.

If SameSite is removed entirely from the Set-Cookie header, the cookie is sent.

If top-level navigation is performed (e.g., reload the page or renavigate to it in Mobile Safari), the cookie is sent.

The problem is not reproducible in iOS-14.6.

Comment 1 Alexey Proskuryakov 2021-07-26 15:18:01 PDT

Thank you for the report! Since this is not reproducible on a current version, I'm resolving this as Configuration Changed. There is no way for us to fix an issue back in the past.

Comment 2 Nathan Phillip Brink (binki) 2021-07-26 23:29:05 PDT

Also affects iOS-12.5.4.