Bug 230568 - SameSite=Lax cookie attribute not correctly handled in Safari 14.0.2 < version <= current
Summary: SameSite=Lax cookie attribute not correctly handled in Safari 14.0.2 < versio...
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
Keywords: InRadar
Depends on:
Reported: 2021-09-21 11:22 PDT by Kelly Kaoudis
Modified: 2022-07-11 09:28 PDT (History)
8 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Kelly Kaoudis 2021-09-21 11:22:07 PDT
# Overview
macOS Safari (at least since 14.1.1 and up to current, but not in 14.0.2 as tested by Twitter folks) does not include cookies with SameSite=Lax set on cross Origin non-serverside-state-updating (e.g., GET) HTTP requests instead of following the Lax rules.

# Steps to reproduce
- While logged into twitter.com, mark your .twitter.com scoped `auth_token` cookie as SameSite=Lax by editing the SameSite dropdown for the cookie in the Storage tab of the developer console.

- Navigate to the following link https://www.engadget.com/twitter-direct-message-updates-195652044.html?src=rss&guce_referrer=aHR0cHM6Ly90LmNvL3FpN3BhOXlyZjg_YW1wPTE&guce_referrer_sig=AQAAAEZaKN87r0LiegVuWd6TtxuxVe3jSzY_SzGhsIfe_nA6l589zEympWuaschonGlXwINFXAGeehYTGIWPBUSMJJGmyJRyyvkDY-LzAb3PSb-Ue3WNmHNHmkpUNkZ1cGw8OxmQ37pWcNQ3NOo-rSiQMRMBSsuYpJey49wha26bI5bn&guccounter=2

- Scroll down to the embedded Tweet and click the “Tweet your reply” button in the embedded Tweet (The Tweet contains the text “Some DM improvements are coming your way over the next few weeks…”)

- Instead of getting redirected to your logged in timeline on twitter.com with a popup Tweet composer already set to reply to the embedded Tweet as occurs in Chrome and Firefox, you will be redirected to log in. `auth_token` was not sent on GET https://twitter.com/intent/tweet?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1428408769835421701%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.engadget.com%2Ftwitter-direct-message-updates-195652044.html&in_reply_to=1428408769835421701 because we added the Lax property before we clicked the link. 

# Actual result
The Twitter account cannot remain logged in since our cookie marked with SameSite=Lax was not sent with the GET request opening the composer.

# Expected result
To produce the equivalent (but cookie handled according to SameSite=Lax instead of not sent to twitter.com) flow in Chrome, you can follow the same steps - change the cookie’s SameSite property to Lax, load the engadget link and click through the Embed to GET/load your twitter.com home timeline and a composer window. Your user should still be logged in after clicking through in Chrome and should be able to respond directly to the Tweet - this is the _desired_ behaviour, instead of the cookie being completely dropped/ignored as it is in Safari. 

# References
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#lax 
- https://bugs.webkit.org/buglist.cgi?quicksearch=SameSite
- https://bugs.webkit.org/show_bug.cgi?id=226386
- https://bugs.webkit.org/show_bug.cgi?id=213510
- https://github.com/vintasoftware/safari-samesite-cookie-issue (it is possible the issue may be a regression to this behaviour; it is not present at least for macOS Safari 14.0.2?)
- https://bugs.webkit.org/show_bug.cgi?id=198181
- https://bugs.webkit.org/show_bug.cgi?id=210298
- https://bugs.webkit.org/show_bug.cgi?id=219650
- https://cwe.mitre.org/data/definitions/1275.html
Comment 1 Radar WebKit Bug Importer 2021-09-21 11:22:26 PDT
Comment 2 John Wilander 2022-02-28 21:11:15 PST
Re-classifying to non-security since this fails closed.
Comment 3 Chris Dumez 2022-07-08 12:45:30 PDT
Pull request: https://github.com/WebKit/WebKit/pull/2236
Comment 4 EWS 2022-07-11 09:28:34 PDT
Committed 252341@main (ac5c740216a5): <https://commits.webkit.org/252341@main>

Reviewed commits have been landed. Closing PR #2236 and removing active labels.