NEW 245275
submitting html contact form with csrf cookie 
https://bugs.webkit.org/show_bug.cgi?id=245275
Summary submitting html contact form with csrf cookie
wgordonw1
Reported 2022-09-16 07:36:51 PDT
There are legitimate use cases for contact/feedback/survey/etc forms to be hosted on one domain and shared amongst many partner domains. The current ITP workflow makes this very difficult and prevents a seamless experience. Please consider allowing user initiated form submissions (i.e. from clicking a "submit" button) from third party iFrames to submit with CSRF cookies. Surely basic html forms don't need to be restricted so aggressively that they prevent this use case? Perhaps cookies could be forced as HttpOnly in third-party context for forms?
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-09-23 07:37:17 PDT
<rdar://problem/100324123>
John Wilander
Comment 2 2022-09-30 11:25:25 PDT
Have you tried to use the Storage Access API for this flow? Let us know if it doesn't work for you. See the guide under "How To Use the Storage Access API" here: https://webkit.org/blog/11545/updates-to-the-storage-access-api/ Thanks!
wgordonw1
Comment 3 2022-10-04 12:23:35 PDT
We attempted this path before submitting the issue. The workflow is complicated in this application and it was reported to be frustrating by testers - the current leading suggestion is to remove CSRF protection but that seems like a bad long term solution to me. From memory the data entry experience was frustrating because the form had to be filled out multiple times due to the greeting redirect and cookie prompts - I believe we had to let the user fill out the form, wait for them to click submit, then redirect to the greeting page, have them click a button that goes backwards in history, then they have to click a popup to allow cookies, then the page needs to be refreshed, then they have to fill out the form and hit submit.
Note You need to log in before you can comment on or make changes to this bug.