RESOLVED FIXED 245614
Safari forgets first-party interaction 
https://bugs.webkit.org/show_bug.cgi?id=245614
Summary Safari forgets first-party interaction
Remko Tronçon
Reported 2022-09-24 03:16:33 PDT
I'm the provider of an iframe-embedded app that relies on (third-party) cookies. I use ITP for ensuring I have storage access. Even though hasStorageAccess() returns true, I detect cookies are not persisted. This happens because of the old WebKit "you need to have had first-party interaction before third-party cookies works" (see e.g. 218396). Letting the user do first-party interaction indeed solves the problem. However, Safari (15.6.1) seems to forget the first-party interaction on every browser restart (even if the first party interaction was only minutes earlier). This means the user needs to go through the entire first-party interaction every time they start their browser, which is obviously time consuming. Is this expected? I have the impression that this is relatively recent?
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-09-26 15:22:11 PDT
<rdar://problem/100430679>
Charlie Wolfe
Comment 2 2023-01-24 18:39:17 PST
I'm having difficulty reproducing this on trunk WebKit. Safari appears to remember first-party interaction each time I request storage access from a third party iframe, even after closing the browser.
Remko Tronçon
Comment 3 2023-01-25 01:29:32 PST
I tried with Safari 16.2, and I still experience the problem. After going through the Storage Access API, the code I use tries to set a (client-side) cookie in JavaScript, and read it back immediately. If this fails, I assume cookie storage doesn't work, and that this is due to missing first-party interaction. When I do this on a fresh browser instance, the check always fails. If I first go to our first-party website, sign in and out (to get first-party interaction), and then do the same third-party flow, it works fine.
Charlie Wolfe
Comment 4 2023-01-26 23:46:06 PST
It looks like storage access and another cookie set is required to access document.cookie in a third-party iframe. Could your issue be that the cookies you set on your first-party website aren’t persisted after Safari closes? It’s possible we should still change some behavior here though.
John Wilander
Comment 5 2023-01-26 23:53:40 PST
Hi! We have a comprehensive guide under “How To Use the Storage Access API” here: https://webkit.org/blog/11545/updates-to-the-storage-access-api/ See if any of those steps and explanations help you narrow this down. Thanks!
Remko Tronçon
Comment 6 2023-01-27 03:00:29 PST
@Charlie I was assuming the 'first-party interaction with a cookie' was kept track of internally in Safari. I didn't consider it was related to the actual cookie. The cookie we were setting was indeed defaulting to session lifetime, so was not persisted across restarts. Setting a cookie with a timeout indeed seems to solve the issue. thanks!
John Wilander
Comment 7 2023-01-27 07:01:38 PST
(In reply to Remko Tronçon from comment #6) > @Charlie > > I was assuming the 'first-party interaction with a cookie' was kept track of > internally in Safari. I didn't consider it was related to the actual cookie. > > The cookie we were setting was indeed defaulting to session lifetime, so was > not persisted across restarts. Setting a cookie with a timeout indeed seems > to solve the issue. > > thanks! It doesn’t have to do with user interaction as first party but with the underlying cookie policy. Step 4 in the guide I linked to: “Set cookies when you are first-party. This establishes the website as “visited” for the purposes of the underlying cookie policy. Third parties without cookies cannot set cookies in Safari and never have since Safari 1.0 in 2003. This means you cannot use the Storage Access API as third-party until you have set at least one cookie as first party.”
Note You need to log in before you can comment on or make changes to this bug.