1653188 - Cookies not working in IFrames

Status: RESOLVED INVALID

(Core :: Networking: Cookies, defect)

Description

[Randall]

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

Firefox 79 does not pass cookies back to web pages that are hosted inside IFrame.

To reproduce the issue, load the following test HTML page with Firefox 79:
<html><body>
<iframe src="http://www.whatarecookies.com/cookietest.asp"></iframe>
</body></html>

Actual results:

When the test HTML page is loaded, the web site responds with:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/8.5
Set-Cookie: ASPSESSIONIDACBTCQCB=GNKIKNHDLHLPBHLKFHEJEKMP; path=/
Date: Thu, 16 Jul 2020 06:34:50 GMT
Connection: close

All the requests from now on sent back to the web site should contain the cookie (ASPSESSIONIDACBTCQCB=GNKIKNHDLHLPBHLKFHEJEKMP) but it is missing from the requests.

Here is an actual request that is missing the cookie:
GET /favicon.ico HTTP/1.1
Host: www.whatarecookies.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: image/webp,/
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

Expected results:

The request should have contained the cookie:
GET /favicon.ico HTTP/1.1
Host: www.whatarecookies.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: image/webp,/
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ASPSESSIONIDACBTCQCB=GNKIKNHDLHLPBHLKFHEJEKMP dta=vcount%3D0%2Cprev%3D1594881521071

When the web site is not hosted inside an IFrame, the cookies are included in the requests. When the site hosted inside an IFrame, the cookies are missing.

Cookies inside IFrames do work in Firefox 78, so something has broken in Firefox 79 regarding cookie handling inside IFrames.

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Comment 2

[Honza Bambas (:mayhemer)]

(In reply to Randall from comment #0)

To reproduce the issue, load the following test HTML page with Firefox 79:
<html><body>
<iframe src="http://www.whatarecookies.com/cookietest.asp"></iframe>
</body></html>

It's important to specify if the origin of the page with this content is same-origin with http://www.whatarecookies.com or not.

Comment 3

[Pascal Chevrel:pascalc]

(In reply to Honza Bambas (:mayhemer) from comment #2)

(In reply to Randall from comment #0)

To reproduce the issue, load the following test HTML page with Firefox 79:
<html><body>
<iframe src="http://www.whatarecookies.com/cookietest.asp"></iframe>
</body></html>

It's important to specify if the origin of the page with this content is same-origin with http://www.whatarecookies.com or not.

Honza, do you mean that this is an expected change in behaviour between 78 and 79? I am not seeing something related to this change listed in https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/79

Comment 4

[Daniel Bodea [:danibodea]]

I would like to help investigate this, but I do not understand how I could do that. I'm not sure how to identify what the unwanted behavior is. I don't find any events by filtering them with the "favicon.ico" string.

Randall, can you please write a detailed step by step tutorial on how to verify whether a build is affected or not? I will attempt to find a regression range for the issue, if possible.
Thank you for your contribution!

Comment 5

[Daniel Bodea [:danibodea]]

Did not mean to erase Honza's NI. Putting it back.

Comment 6

[Honza Bambas (:mayhemer)]

This is https://experimenter.services.mozilla.com/experiments/beta-rollout-of-samesite-lax-change/
Flipping network.cookie.sameSite.laxByDefault to false with switch to the previous behavior. 50% of Beta users are flipped this pref.

Comment 7

[Daniel Bodea [:danibodea]]

Removing the regressionwndow-wanted tag.