SameSite=Lax cookie attribute not correctly handled in Safari 14.0.2 < version <= current #2236
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cdumez
added
Other
WebKit Misc.
cdumez
requested review from
youennf,
darinadler,
achristensen07 and
geoffreygaren
webkit-early-warning-system
added
the
merging-blocked
cdumez
force-pushed
the
230568_samesite_lax_cookie_fix
branch
from
955414d
to
ea63e54
Compare
darinadler
approved these changes
Jul 8, 2022
|
|
||
| auto* targetFrame = formState || frameName.isEmpty() ? nullptr : findFrameForNavigation(frameName); | ||
|
|
||
| auto willOpenInNewWindow = !frameName.isEmpty() && !targetFrame ? WillOpenInNewWindow::Yes : WillOpenInNewWindow::No; |
There was a problem hiding this comment.
I can’t follow the logic here. Is this check correct? Why do we have to check both frame name and target frame?
There was a problem hiding this comment.
Yes, I believe this check is correct. If you look at the code below, we will call policyChecker().checkNewWindowPolicy() in the case where we have a (target) frameName but no actual Frame object for it.
For example, if you do target='foo', we'll first try and find a target Frame within the process and use it if we find one. However, if we cannot find such a Frame, we'll do the navigation in a new window/Frame, whose name will be "foo".
Also see the check at this line in the other function:
https://github.com/WebKit/WebKit/pull/2236/files#diff-d607936f085c93e3e1113e2c988f664830ab21dbe8351cfc08744a8b5112d473R1381
Same condition for calling checkNewWindowPolicy().
webkit-early-warning-system
added
the
merging-blocked
cdumez
added
merge-queue
…< version <= current https://bugs.webkit.org/show_bug.cgi?id=230568 <rdar://83360821> Reviewed by Darin Adler. The `isTopLevelNavigation` flag on the request needs to be properly set for top-level navigations in order for SameSite=Lax cookies to be sent. In the case of this bug, the navigation is initiated by a cross-origin iframe but it is still a top-level navigation since the navigation occurs in a new window, not in the iframe itself. However, the isTopLevelNavigation flag would be unset and SameSite=Lax cookies wouldn't get sent. The issue was that FrameLoader::updateRequestAndAddExtraFields() was checking if the FrameLoader's m_frame was the main frame to determine if the main frame is being navigated. This generally works because targeted (e.g. via `target="foo"`) are usually resolved before calling this function so we're supposed to be on the target frame's FrameLoader already. However, this is not the case when the navigation is to happen in a new window since there isn't a target frame yet (it will get created later on). To address the issue, call sites of updateRequestAndAddExtraFields() now pass in a new willOpenInNewWindow flag whenever the navigation will happen in a new window. As a result, updateRequestAndAddExtraFields() can properly set the `isTopLevelNavigation` flag in this case. Test: http/tests/cookies/same-site/popup-cross-site-from-cross-origin-iframe.html * LayoutTests/http/tests/cookies/same-site/popup-cross-site-from-cross-origin-iframe-expected.txt: Added. * LayoutTests/http/tests/cookies/same-site/popup-cross-site-from-cross-origin-iframe.html: Added. * LayoutTests/http/tests/cookies/same-site/resources/navigate-to-post-cookies-to-opener-iframe.html: Added. * Source/WebCore/loader/FrameLoader.cpp: (WebCore::FrameLoader::loadURL): (WebCore::FrameLoader::updateRequestAndAddExtraFields): (WebCore::FrameLoader::loadPostRequest): * Source/WebCore/loader/FrameLoader.h: Canonical link: https://commits.webkit.org/252341@main
webkit-early-warning-system
force-pushed
the
230568_samesite_lax_cookie_fix
branch
from
ea63e54
to
ac5c740
Compare
|
Committed 252341@main (ac5c740): https://commits.webkit.org/252341@main Reviewed commits have been landed. Closing PR #2236 and removing active labels. |
webkit-commit-queue
removed
the
merge-queue
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ac5c740