<rdar://problem/90633734>

Created attachment 455374 [details] Tests

Uploaded tests are passing in Chrome and Firefox but not in Safari.

Created attachment 455381 [details] Patch

Comment on attachment 455381 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=455381&action=review r=me based on enhancing the tests (and getting green EWS bots). > LayoutTests/http/tests/cookies/resources/testharness-helpers.js:38 > + document.cookie = LAX_DOM + "=1; SameSite=Lax; Max-Age=100; path=/"; Please add a SameSite=Strict cookie too and make sure it works as expected. > LayoutTests/http/tests/cookies/resources/testharness-helpers.js:68 > + document.cookie = LAX_DOM + "=1; SameSite=Lax; Max-Age=100; path=/"; Ditto on a SameSite=Strict cookie. > LayoutTests/http/tests/cookies/same-site/popup-from-iframe-same-site-with-post-form-expected.txt:2 > +PASS popup opened as 'about:blank', then post navigation to 127.0.0.1, so samesite cookies are sent. This output should be more specific and say whether SameSite Lax and SameSite Strict cookies were sent. > LayoutTests/http/tests/cookies/same-site/popup-from-iframe-same-site-with-post-form-expected.txt:3 > +PASS popup opened as '127.0.0.1', then post navigation to 127.0.0.1, so samesite cookies are sent. Ditto. > LayoutTests/http/tests/cookies/same-site/popup-from-iframe-same-site-with-post-form-expected.txt:4 > +PASS popup loaded as '127.0.0.1', then post navigation to 127.0.0.1, so samesite cookies are sent. Ditto, plus I would like if this test output was distinct from the one above. Could we add more details so that it's clear what's being tested? > LayoutTests/http/tests/cookies/same-site/popup-same-site-with-post-form-expected.txt:2 > +PASS popup opened as 'about:blank', then post navigation to 127.0.0.1, so samesite cookies are sent. Ditto on cookie details. > LayoutTests/http/tests/cookies/same-site/popup-same-site-with-post-form-expected.txt:3 > +PASS popup opened as '127.0.0.1', then post navigation to 127.0.0.1, so samesite cookies are sent. Ditto. > LayoutTests/http/tests/cookies/same-site/popup-same-site-with-post-form-expected.txt:4 > +PASS popup loaded as '127.0.0.1', then post navigation to 127.0.0.1, so samesite cookies are sent. Ditto, plus the comment on making it distinct.

(In reply to John Wilander from comment #5) > Comment on attachment 455381 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=455381&action=review > > r=me based on enhancing the tests (and getting green EWS bots). Updated the tests accordingly. > > LayoutTests/http/tests/cookies/same-site/popup-same-site-with-post-form-expected.txt:4 > > +PASS popup loaded as '127.0.0.1', then post navigation to 127.0.0.1, so samesite cookies are sent. > > Ditto, plus the comment on making it distinct. I updated the comment. In one case we are opening the popup on 127.0.0.1 and in the other case we are fully loading a page in 127.0.0.1, before doing post navigation.

Created attachment 455472 [details] Patch for landing

<rdar://88979099>

Committed r291741 (248773@main): <https://commits.webkit.org/248773@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 455472 [details].

Hmm. Are you sure SameSite=strict cookies should be sent in these cases?

See https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1

(In reply to John Wilander from comment #10) > Hmm. Are you sure SameSite=strict cookies should be sent in these cases? Navigation is same origin (127.0.0.1 to 127.0.0.1) so SameSite=strict should do the same as SameSite=lax, no?

FWIW, Chrome and Firefox are also sending strict cookies for those tests. https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1 seems to be about allowing same-site cookies in some cases of cross-origin top level navigations (for GET method).

*** Bug 227819 has been marked as a duplicate of this bug. ***