Javascript can't access a SameSite=Strict cookie after page is loaded after a redirect from a third party site
Categories
(Core :: Networking: Cookies, defect, P3)
Tracking
()
People
(Reporter: me.alex.petrov, Unassigned)
Details
(Whiteboard: [necko-triaged])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36
Steps to reproduce:
- Users visit https://some-integration.com
GET https://some-integration.com HTTP/1.1
- Because they're not logged in, user-agent redirects to https://accounts.spotify.com/authorize (standard OAuth 2.0 flow).
HTTP/1.1 302 Found
Location: https://accounts.spotify.com/authorize?client_id=<client_id>&redirect_uri=https%3A%2F%2Fsome-integration.com%2Fsuccess
https://accounts.spotify.com/authorize
returns the html form (for user to approve scopes) and setscsrf_token
cookie.
GET https://accounts.spotify.com/login?continue=https://*.spotify.net HTTP/1.1
HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Set-Cookie: csrf_token=<omitted>; Domain=.accounts.spotify.com; Path=/; Secure; SameSite=Strict
...
Actual results:
JS call document.cookie
doesn't contain csrf_token
cookie.
Expected results:
JS call document.cookie
contains csrf_token=<omitted>
Reporter | ||
Comment 1•4 years ago
|
||
Maybe related to https://bugzilla.mozilla.org/show_bug.cgi?id=1596813
Reporter | ||
Comment 2•4 years ago
|
||
Comment 3•4 years ago
|
||
Assigning "Core: Networking: Cookies" component for this bug.
Comment 5•4 years ago
|
||
I think our implementation is correct. Chrome is working to apply similar restrictions.
See: https://bugs.chromium.org/p/chromium/issues/detail?id=830101
Let's keep this bug open until chrome finishes their implementation.
Updated•4 years ago
|
Reporter | ||
Comment 6•4 years ago
|
||
(In reply to Andrea Marchesini [:baku] from comment #5)
I think our implementation is correct. Chrome is working to apply similar restrictions.
See: https://bugs.chromium.org/p/chromium/issues/detail?id=830101
Let's keep this bug open until chrome finishes their implementation.
Unfortunately, I can't see the Chrome issue (Permission Denied), so could you please clarify what do you mean by "correct"? I'm not aware of any RFC/proposal/standard which would limit js access to cookies with SameSite=Strict
.
Comment 7•4 years ago
|
||
(In reply to Andrea Marchesini [:baku] from comment #5)
I think our implementation is correct. Chrome is working to apply similar restrictions.
See: https://bugs.chromium.org/p/chromium/issues/detail?id=830101
Let's keep this bug open until chrome finishes their implementation.
Can you please answer Alex Petrov's question? I'm also confused about a lack of anything in the spec that would indicate that SameSite=Strict cookies should not be accessible from document.cookie
Comment 8•4 years ago
|
||
(In reply to Stefan Wrobel from comment #7)
(In reply to Andrea Marchesini [:baku] from comment #5)
I think our implementation is correct. Chrome is working to apply similar restrictions.
See: https://bugs.chromium.org/p/chromium/issues/detail?id=830101
Let's keep this bug open until chrome finishes their implementation.Can you please answer Alex Petrov's question? I'm also confused about a lack of anything in the spec that would indicate that SameSite=Strict cookies should not be accessible from document.cookie
The firefox behavior is now in sync with chrome. You should be able to see the sameSite=strict/lax cookies using document.cookie. See bug 1641459.
Updated•4 years ago
|
Description
•