Closed Bug 1596813 Opened 5 years ago Closed 5 years ago

javascript can't access a samesite=strict cookie set via ajax after page is loaded via link on a third party site

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Version:
70 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1465402

People

(Reporter: jmcaleer, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

I uploaded a minimal proof of concept repo to github that consists of an index.html file and a setcookie.php file: https://github.com/jdmcalee/firefox-cookie-issue-poc. The core idea is an html file with javascript that makes an ajax request to a server-side process that sets a cookie with samesite set to Strict.

Using that, or your own equivalent setup, the following steps reproduce the problem consistently:

  1. create a clickable link on some other site, pointing to the index.html file (e.g. send it in an email to yourself).
  2. Click the link to open the proof of concept page
  3. Click the button to perform a javascript fetch to the php script and pop an alert with the value of document.cookie.

Actual results:

The click handler does a fetch to the php script, which sets a cookie with samesite=Strict set. You can see the cookie in the web developer tools in the storage tab, as well as in the network tab. The javascript alert shows that document.cookie is empty.

Expected results:

The Javascript alert should have showed the cookie. Changing the samesite value to Lax results in it being shown in the alert. So does pasting the url to the proof of concept into the address bar of a new tab and pulling it up directly, with samesite still set to Strict.

Confirmed. We are running into this same issue on our https://lbry.tv site. You can see it happening if you go to https://dev.lbry.tv (check cookie / auth token) and then click on https://bit.ly/2raVRR4 - which is just a direct back to dev.lbry.tv. The cookie will get cleared and auth token reset (see console).

We are attempting to do this without same-site = false to confirm the problem (just in case someone was using our links to confirm and it's actually working)

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Networking: Cookies
Product: Firefox → Core

Hey Thomas,

This looks like a duplicate of Bug 1465402. Could you take a look at that one and see if you see the same issue?
Marking it as duplicate for now.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.