samesite=strict prevents reading the cookie after a xhr request
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: alexanderbh, Unassigned)
References
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(1 obsolete file)
Reporter | ||
Updated•6 years ago
|
Reporter | ||
Updated•6 years ago
|
Reporter | ||
Comment 1•6 years ago
|
||
Comment 2•6 years ago
|
||
Reporter | ||
Comment 3•6 years ago
|
||
Comment 4•6 years ago
|
||
Comment 5•6 years ago
|
||
Comment 6•6 years ago
|
||
Comment 7•6 years ago
|
||
Comment 8•6 years ago
|
||
Comment 9•6 years ago
|
||
Comment 10•6 years ago
|
||
Comment 11•6 years ago
|
||
Comment 12•6 years ago
|
||
Comment 13•6 years ago
|
||
Comment 14•6 years ago
|
||
Comment 15•6 years ago
|
||
Comment 16•6 years ago
|
||
Comment 17•6 years ago
|
||
Comment 18•6 years ago
|
||
Comment 19•6 years ago
|
||
Comment 20•6 years ago
|
||
Comment 21•6 years ago
|
||
Comment 22•6 years ago
|
||
Comment 23•6 years ago
|
||
Comment 24•6 years ago
|
||
Comment 25•6 years ago
|
||
Comment 26•6 years ago
|
||
Updated•6 years ago
|
Comment 27•6 years ago
|
||
Comment 28•6 years ago
|
||
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 29•5 years ago
|
||
We are kinda experiencing a similiar problem but only when you get redirected from another domain to the domain which is setting the cookie.
So I can reproduce this if I have domain A (http://redirect.test.local) redirect by 302 to domain B (http://otherdomain.bug.local). After arriving on the http://otherdomain.bug.local we do a XHR call to an api which returns a Set-Cookie: test=test; domain=otherdomain.bug.local; path=/; samesite=strict
then document.cookie
will be empty. If you go directly to http://otherdomain.bug.local then we don't experience the problem.
I have a HAR file which shows the most simple flow I could make to reproduce it. If that's useful information please let me know and I will attach it.
I tested this with version 67.0 up to nightly.
Since I see nothing in this issue saying anything about redirects ect. is this the same bug or do I need to log a different one?
Comment 30•5 years ago
|
||
(In reply to rutgerstorm from comment #29)
Since I see nothing in this issue saying anything about redirects ect. is this the same bug or do I need to log a different one?
I am pretty sure we are facing the same underlying issue as outlined in comment 27 and 28.
Jonathan, you have been working on providing the correct triggeringPrincipal for all top-level loads (Bug 1333030 and dependencies). It seems that in some cases we are falling back to NullPrincipal which causes to break same-site strict cookies.
Could you please take a look - I think we should fix the underlying triggeringPrincipal problem.
Comment 31•5 years ago
|
||
We have the same issue. We use an angularjs webapp. When samesite was set to strict angularjs was unable the read the cookie. With samesite set to lax everything works fine. It doesn't occur when working with a localhost uri. This is 100% reproducible in our code.
Comment 32•5 years ago
|
||
We are also seeing this. Though there are no XHR requests involved (so might be different, though sounds very similar). Angularjs webapp.
We do a redirect from A (sub.redirect-from.com) to B (sub.redirect-to.com), inside redirect-to.com we do:
document.cookie = 'test_cookie=true; domain=sub.redirect-to.com; path=/; samesite=strict; secure';
document.location.reload()
The reload does NOT send the cookie to the backend, and this cookie is ALSO not available in document.cookie
causing this code to just infinitely reload. A user-reload will not fix it, but going to the URL bar and pressing enter does allow the document.cookie
to be read.
Comment 34•5 years ago
|
||
(In reply to Tom Schuster [:evilpie] from comment #33)
Christoph, is Jonathan unavailable?
I just had a quick sync with Jonathan, he will take a look asap, but probably not before next week. Sorry for the delay here.
Comment 35•5 years ago
|
||
From memory I think this was a triggering principal issue but I never got around to fixing it. Removing NI sorry.
Updated•2 years ago
|
Description
•