Closed Bug 1667345 Opened 5 years ago Closed 4 years ago

Set-Cookie with SameSite=LAX in iframe is not honoured until a refresh

Categories

(Core :: Networking: Cookies, defect)

Firefox 82
defect

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: tmoxon, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Attached image samesite_flow.jpg

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36

Steps to reproduce:

Set up 2 sites with different sub domains but same top level (one.test.com, two.test.com)
Set up oauth apps for each domain and register authentication using those apps in each site, both of which use the same identity and so a signed in identity with one can be used on the other (we were using 2 apps in the same Azure AD tenant)
Configure your authentication for those apps so they will set an auth cookie with samesite=LAX. Set as active auth that automatically redirects the user to login when accessing the site.
Set up a page on the first site (one.test.com) that includes an iframe to content on the second site (two.test.com)
Sign into the first site and access the page you've set up with the iframe.

Actual results:

The iframe ends up in an infinite loop. After auth, when the iframe returns to the site, the set-cookie header is present however it isn't then sent and so you are redirected to auth again.

If you refresh the page then the cookie has actually been set, and on that refresh the iframe won't even redirect to auth because it's already signed in.

Expected results:

The iframe should load, bouncing through the oauth flow and landing onto the specified url. This works fine when:

Default to lax is false (in FF about:config)
SameSite is set to none on the auth cookie
You're using chrome (any recent), edge or safari

What appears to confirm that the behaviour isn't intended is that if you refresh the page the cookie has actually been set and the iframed content will load / has a valid auth cookie, it's just not honoured immediately

The attached image shows the set cookie that doesn't get honoured. You can see in the network tab how you get sent straight back to auth again.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Privacy: Anti-Tracking
Product: Firefox → Core

Hi Tim,
do you have a test page so I can test it? thanks!

Flags: needinfo?(tmoxon)

Moving this to the correct component.

Component: Privacy: Anti-Tracking → Networking: Cookies
Flags: needinfo?(tmoxon)
Severity: -- → S3
Priority: -- → P3

I misinterpreted - I thought we were able to reproduce this. So I guess we still need a test case - re-flagging the reporter for this.

Tim, could you share an example test case to reproduce this?

Severity: S3 → --
Flags: needinfo?(tmoxon)
Priority: P3 → --
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: