Bug 230350 - SameSite=Lax|Strict cookie is accepted even if cookie came from cross-site response
Summary: SameSite=Lax|Strict cookie is accepted even if cookie came from cross-site re...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Frames (show other bugs)
Version: Safari Technology Preview
Hardware: Mac (Intel) macOS 11
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-09-16 08:12 PDT by Jakob L
Modified: 2021-12-14 09:39 PST (History)
5 users (show)

See Also:


Attachments
Safari accetps cookie loaded via 3rd-party frame, see https://github.com/jaylinski/safari-same-site-cookie for more screenshots (177.93 KB, image/png)
2021-09-16 08:12 PDT, Jakob L
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jakob L 2021-09-16 08:12:55 PDT
Created attachment 438351 [details]
Safari accetps cookie loaded via 3rd-party frame, see https://github.com/jaylinski/safari-same-site-cookie for more screenshots

## Description of the issue

Safari doesn't send "SameSite=Lax" and "SameSite=Strict" cookies to a same-site if the same-site was loaded by a cross-site iframe (Which is the correct behavior.)
But: Safari *accepts* "SameSite=Lax" and "SameSite=Strict" cookies from a same-site if the same-site was loaded by a cross-site iframe. (Which is probably the wrong behavior.)

The behavior from Safari differs from the behavior of Chrome and Firefox.
Both Chrome and Firefox block "SameSite=Lax" and "SameSite=Strict" cookies if they came by a same-site loaded by a cross-site iframe.

### Example

|- a.tld
|-- [iframe] b.tld
|--- [iframe] a.tld (Set-Cookie: x=y; path=/; SameSite=Lax)

Safari will accept the `x`-cookie, while Chrome and Firefox reject it, because "it came from a cross-site response".

## Expected behavior

Safari does not accept "SameSite=Lax"-cookies loaded via a cross-site iframes and behaves like Chrome and Firefox.

## Actual behavior

Safari accepts "SameSite=Lax"-cookies loaded via a cross-site iframes.

## Relevant spec

https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7.1

The spec only defines what to *send*, not what to *set*. So I guess Safari doesn't violate the spec, but the current behavior is still confusing.

## Additional information

I created a test case reduction in this repository:
https://github.com/jaylinski/safari-same-site-cookie
Please refer to the `readme.md` for how to set it up.

This was tested on latest Safari Technology Preview 131.

This is probably not a security issue, but it can create undesired side-effects.
In my case, the current behavior caused issues with overwritten session-cookies.
Comment 1 Radar WebKit Bug Importer 2021-09-23 08:13:24 PDT
<rdar://problem/83447688>