Closed Bug 1617158 Opened 4 years ago Closed 4 years ago

Javascript can't access a SameSite=Strict cookie after page is loaded after a redirect from a third party site

Categories

(Core :: Networking: Cookies, defect, P3)

73 Branch
defect

Tracking

()

RESOLVED DUPLICATE of bug 1641459

People

(Reporter: me.alex.petrov, Unassigned)

Details

(Whiteboard: [necko-triaged])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36

Steps to reproduce:

  1. Users visit https://some-integration.com

GET https://some-integration.com HTTP/1.1

  1. Because they're not logged in, user-agent redirects to https://accounts.spotify.com/authorize (standard OAuth 2.0 flow).

HTTP/1.1 302 Found
Location: https://accounts.spotify.com/authorize?client_id=<client_id>&redirect_uri=https%3A%2F%2Fsome-integration.com%2Fsuccess

  1. https://accounts.spotify.com/authorize returns the html form (for user to approve scopes) and sets csrf_token cookie.

GET https://accounts.spotify.com/login?continue=https://*.spotify.net HTTP/1.1

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Set-Cookie: csrf_token=<omitted>; Domain=.accounts.spotify.com; Path=/; Secure; SameSite=Strict
...

Actual results:

JS call document.cookie doesn't contain csrf_token cookie.

Expected results:

JS call document.cookie contains csrf_token=<omitted>

Assigning "Core: Networking: Cookies" component for this bug.

Component: Untriaged → Networking: Cookies
Product: Firefox → Core

baku, could you have a look please? Thanks!

Flags: needinfo?(amarchesini)

I think our implementation is correct. Chrome is working to apply similar restrictions.
See: https://bugs.chromium.org/p/chromium/issues/detail?id=830101
Let's keep this bug open until chrome finishes their implementation.

Flags: needinfo?(amarchesini)
Priority: -- → P3
Whiteboard: [necko-triaged]

(In reply to Andrea Marchesini [:baku] from comment #5)

I think our implementation is correct. Chrome is working to apply similar restrictions.
See: https://bugs.chromium.org/p/chromium/issues/detail?id=830101
Let's keep this bug open until chrome finishes their implementation.

Unfortunately, I can't see the Chrome issue (Permission Denied), so could you please clarify what do you mean by "correct"? I'm not aware of any RFC/proposal/standard which would limit js access to cookies with SameSite=Strict.

(In reply to Andrea Marchesini [:baku] from comment #5)

I think our implementation is correct. Chrome is working to apply similar restrictions.
See: https://bugs.chromium.org/p/chromium/issues/detail?id=830101
Let's keep this bug open until chrome finishes their implementation.

Can you please answer Alex Petrov's question? I'm also confused about a lack of anything in the spec that would indicate that SameSite=Strict cookies should not be accessible from document.cookie

Flags: needinfo?(amarchesini)

(In reply to Stefan Wrobel from comment #7)

(In reply to Andrea Marchesini [:baku] from comment #5)

I think our implementation is correct. Chrome is working to apply similar restrictions.
See: https://bugs.chromium.org/p/chromium/issues/detail?id=830101
Let's keep this bug open until chrome finishes their implementation.

Can you please answer Alex Petrov's question? I'm also confused about a lack of anything in the spec that would indicate that SameSite=Strict cookies should not be accessible from document.cookie

The firefox behavior is now in sync with chrome. You should be able to see the sameSite=strict/lax cookies using document.cookie. See bug 1641459.

Flags: needinfo?(amarchesini)
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.