RESOLVED FIXED279153
iOS 18 does not allow a client application to specify SameSite=None 
https://bugs.webkit.org/show_bug.cgi?id=279153
Summary iOS 18 does not allow a client application to specify SameSite=None
Kate Chon
Reported 2024-09-04 16:04:45 PDT
Context: Our organization distributes an in-house iOS application that injects an auth cookie into https://developer.apple.com/documentation/foundation/httpcookiestorage intended for our IdP (e.g. `auth.organization.com`), when the end-user navigates to (e.g. `service.alternate-domain.dev`), the service will redirect to the IdP and the expected cookie is not included in the request. This issue was first encountered with iOS 14 due to Intelligent Tracking Protection and we worked around the issue by enabling `NSCrossWebsiteTrackingUsageDescription` to allow our customers to opt-in to cross-domain cookies only within the application. Additionally, since iOS https://developer.apple.com/documentation/foundation/httpcookiestringpolicy has historically only allowed the "Lax" and "Strict" values, our application has been relying on the default behavior, when SameSite is omitted for WebKit to consider it to be `SameSite=None`. Issue and data: On iOS 18 beta 8 we observed the same behavior of IdP cookie no longer being included in the request and observed the below behavior (with ITP disabled): - WebKit is honoring the cookie's SameSite=None attribute when the cookie is set by server in this case the IdP - Attempts to set this attribute from the client side (from the app interacting with the iOS cookie store) have been unsuccessful. For example, by setting `.sameSitePolicy = "none"` - Safari Web Inspector shows the option to set the cookie's SameSite attribute to None, it however, does not get honored either, and is immediately reverted. Analysis: With the data collected so far it seems there is a gap between iOS default behavior to assume WebKit is using `SameSite=None` and the new WebKit change that breaks this assumption to now use `SameSite=Lax` as the default. Because of this gap, the iOS application is no longer able to set SameSite=None breaking existing web flows. Ask: Our internal teams are evaluating multiple options for mitigating impact before iOS 18 release. As such we're looking to get a bit more data and opening up possible mitigation options: - What is the purpose of introducing the backwards incompatible change for stricter cookie behavior (default SameSite=Lax) in WebKit? - Why is the `SameSite=None` only honored when a server specifies the cookie attribute and not when the client specifies it? - Is it feasible for WebKit to implement any of the below as a workaround - Add `none` as an expected cookie policy in https://developer.apple.com/documentation/foundation/httpcookiestringpolicy - Is there an alternate mechanism that would maintain the pre-existing cookie behavior for a specific application (e.g. through an Info.plist flag) - Can the `NSCrossWebsiteTrackingUsageDescription` be updated to maintain the pre-existing default cookie behavior when SameSite attribute is omitted, in addition to disabling ITP?
Attachments
Add attachment proposed patch, testcase, etc.
Charlie Wolfe
Comment 1 2024-09-04 18:11:50 PDT
Thank you for reporting this. I have been able to reproduce the issue and am looking into it.
Radar WebKit Bug Importer
Comment 2 2024-09-04 18:12:13 PDT
<rdar://problem/135312438>
Kate Chon
Comment 3 2024-09-04 18:16:26 PDT
Thanks!
Charlie Wolfe
Comment 4 2024-09-04 20:25:28 PDT
Pull request: https://github.com/WebKit/WebKit/pull/33164
Kate Chon
Comment 5 2024-09-04 20:43:04 PDT
!!!! THANK YOU SO MUCH!! Going through the commit, could you confirm the expectation is for app owners to add the new attribute with a string of "none" as shown below (swift) ```swift let cookieProperties: [HTTPCookiePropertyKey: Any] = [ .domain: "auth.organization.com", .path: "/", .name: "sampleCookie", .value: "sampleValue", .secure: "TRUE", .sameSitePolicy: "none", ] ``` If so, I can communicate this back to app owners so they can prepare an app build with the change.
EWS
Comment 6 2024-09-05 13:31:17 PDT
Committed 283230@main (45ce92c14115): <https://commits.webkit.org/283230@main> Reviewed commits have been landed. Closing PR #33164 and removing active labels.
Charlie Wolfe
Comment 7 2024-09-05 13:44:31 PDT
(In reply to Kate Chon from comment #5) > Going through the commit, could you confirm the expectation is for app > owners to add the new attribute with a string of "none" as shown below Correct.
Kate Chon
Comment 8 2024-09-05 14:49:20 PDT
Thanks!!! 💜💜
EWS
Comment 9 2024-09-06 12:20:52 PDT
Committed 280938.311@safari-7619-branch (3b7cd3b4db5a): <https://commits.webkit.org/280938.311@safari-7619-branch> Reviewed commits have been landed. Closing PR #1700 and removing active labels.
WebKit Commit Bot
Comment 10 2024-09-20 12:20:02 PDT
Re-opened since this is blocked by bug 280080
Alexandre Côté
Comment 11 2024-09-24 12:24:15 PDT
When do we expect this fix to land? If you open a Web console and try: ``` document.cookie = "foo=bar;Path=/;SameSite=None;Secure" ``` Safari will not respect the `SameSite` attribute.
Alexandre Côté
Comment 12 2024-09-24 12:33:16 PDT
Seems to be reverted here: https://github.com/WebKit/WebKit/commit/f30d4606699e8d9b5fbe2bb043c95bd8ff5fb9fa
Kate Chon
Comment 13 2024-09-24 12:39:20 PDT
Hey Alexandre Côté our teams have been able to verify the issue is resolved on iOS 18.1 beta 5. Due to the re-opening of this ticket, it's unclear if we'll be able to expect this change to make it to general release.
Gareth Shapiro
Comment 15 2024-09-25 03:32:26 PDT
Hi. Like others here I am very interested in what will be possible regarding SameSite attribute in iOS 18.1 We are seeing significant customer impact and currently it's quite difficult to provide assurance where I need to that a resolution is being planned for. Comment #4 here : https://bugs.webkit.org/show_bug.cgi?id=278353 makes reference to a scripting engine bug. Ask: It would be very useful to know whether it will be possible to successfully set `SameSite=None;Secure` from an iOS app running on 18.1 on webkit using the scripting engine once 18.1 goes into production. Having this information up front would be particularly useful given the time it takes to assemble and get enterprise apps out the door.
rikardt@greenerp.co.nz
Comment 16 2024-09-27 03:02:00 PDT
Hi, We also having the same issue with the current 18.0 version across multiple clients, and it looks like it's resolved on 18.1 beta 5. Could we get confirmation on whether the current behavior will be the same as in the planned release version.
Charlie Wolfe
Comment 17 2024-10-03 14:54:44 PDT
SameSite=None cookies by default have been restored in iOS 18.0.1. Please verify that your issues are resolved there.
Kate Chon
Comment 18 2024-10-03 16:21:17 PDT
Hello Charlie! Thank you so much on the update! Our teams have been able to verify impact has been mitigated. I hope you have a beautiful and lovely rest of your day!
Note You need to log in before you can comment on or make changes to this bug.