macOS Safari (at least since 14.1.1 and up to current, but not in 14.0.2 as tested by Twitter folks) does not include cookies with SameSite=Lax set on cross Origin non-serverside-state-updating (e.g., GET) HTTP requests instead of following the Lax rules.
# Steps to reproduce
- While logged into twitter.com, mark your .twitter.com scoped `auth_token` cookie as SameSite=Lax by editing the SameSite dropdown for the cookie in the Storage tab of the developer console.
- Navigate to the following link https://www.engadget.com/twitter-direct-message-updates-195652044.html?src=rss&guce_referrer=aHR0cHM6Ly90LmNvL3FpN3BhOXlyZjg_YW1wPTE&guce_referrer_sig=AQAAAEZaKN87r0LiegVuWd6TtxuxVe3jSzY_SzGhsIfe_nA6l589zEympWuaschonGlXwINFXAGeehYTGIWPBUSMJJGmyJRyyvkDY-LzAb3PSb-Ue3WNmHNHmkpUNkZ1cGw8OxmQ37pWcNQ3NOo-rSiQMRMBSsuYpJey49wha26bI5bn&guccounter=2
- Scroll down to the embedded Tweet and click the “Tweet your reply” button in the embedded Tweet (The Tweet contains the text “Some DM improvements are coming your way over the next few weeks…”)
- Instead of getting redirected to your logged in timeline on twitter.com with a popup Tweet composer already set to reply to the embedded Tweet as occurs in Chrome and Firefox, you will be redirected to log in. `auth_token` was not sent on GET https://twitter.com/intent/tweet?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1428408769835421701%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.engadget.com%2Ftwitter-direct-message-updates-195652044.html&in_reply_to=1428408769835421701 because we added the Lax property before we clicked the link.
# Actual result
The Twitter account cannot remain logged in since our cookie marked with SameSite=Lax was not sent with the GET request opening the composer.
# Expected result
To produce the equivalent (but cookie handled according to SameSite=Lax instead of not sent to twitter.com) flow in Chrome, you can follow the same steps - change the cookie’s SameSite property to Lax, load the engadget link and click through the Embed to GET/load your twitter.com home timeline and a composer window. Your user should still be logged in after clicking through in Chrome and should be able to respond directly to the Tweet - this is the _desired_ behaviour, instead of the cookie being completely dropped/ignored as it is in Safari.
- https://github.com/vintasoftware/safari-samesite-cookie-issue (it is possible the issue may be a regression to this behaviour; it is not present at least for macOS Safari 14.0.2?)
Re-classifying to non-security since this fails closed.
Pull request: https://github.com/WebKit/WebKit/pull/2236
Committed 252341@main (ac5c740216a5): <https://commits.webkit.org/252341@main>
Reviewed commits have been landed. Closing PR #2236 and removing active labels.