RESOLVED FIXED291194
REGRESSION(289693@main): [SOUP] iframe on same apex as parent can't access cookies 
https://bugs.webkit.org/show_bug.cgi?id=291194
Summary REGRESSION(289693@main): [SOUP] iframe on same apex as parent can't access co...
Simon Knott
Reported 2025-04-07 04:53:14 PDT
The child iframe can't access its parent cookies, even though it's on the same apex domain. This bug was introduced in c6414d5c4ed2fed77d0f485a1ff0a8621411c562...3e847b33c9aa193c4a1fc72e530dd3edaf4f11a2. # Repro ```js require('http').createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); if (req.headers.host === 'example.test') { res.setHeader('Set-Cookie', 'testCookie=value; SameSite=Lax; Domain=example.test'); res.end(` <p id="result"></p> <script>document.getElementById('result').textContent = document.cookie || 'no cookies';</script> <iframe src="http://sub.example.test"></iframe> `); } else if (req.headers.host === 'sub.example.test') { res.end(` <p id="result"></p> <script>document.getElementById('result').textContent = document.cookie || 'no cookies';</script> `); } else { res.statusCode = 404; res.end(); } }).listen(80); ``` ``` # add to /etc/hosts 127.0.0.1 example.test 127.0.0.1 sub.example.test ``` Open up `example.test`. I expect to see `testCookie=value` in both the parent and child frame. It actually shows `no cookies` in the child frame. Originally reported as https://github.com/microsoft/playwright/issues/35439.
Attachments
Add attachment proposed patch, testcase, etc.
Simon Knott
Comment 1 2025-04-07 04:54:08 PDT
This occurs only on Linux. I'm willing to work on a fix for this.
Fujii Hironori
Comment 2 2025-04-08 00:02:30 PDT
libsoup is used on Linux. not libcurl.
Max Schmitt
Comment 3 2025-04-09 08:21:02 PDT
Investigating: Looks like it only affects special domains like 'example.test' or 'example.test1'. Bisecting the change right now to see which patch caused it.
Patrick Griffis
Comment 5 2025-04-10 07:15:28 PDT
Pull request: https://github.com/WebKit/WebKit/pull/43899
Patrick Griffis
Comment 6 2025-04-10 07:26:20 PDT
So that patch fixes this specific case. I do wonder though if WebKit is entirely correct to treat this as a third party domain. As you link libsoup already did too. That said other browsers do not block the cookie in this situation.
Patrick Griffis
Comment 7 2025-04-10 07:27:56 PDT
Actually WebKit on Apple platforms also do this, so I think its fine.
EWS
Comment 8 2025-04-10 12:57:13 PDT
Committed 293538@main (3f1d5e3400d4): <https://commits.webkit.org/293538@main> Reviewed commits have been landed. Closing PR #43899 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.