Set-Cookie with SameSite=LAX in iframe is not honoured until a refresh
Categories
(Core :: Networking: Cookies, defect)
Tracking
()
People
(Reporter: tmoxon, Unassigned, NeedInfo)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
157.54 KB,
image/jpeg
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Steps to reproduce:
Set up 2 sites with different sub domains but same top level (one.test.com, two.test.com)
Set up oauth apps for each domain and register authentication using those apps in each site, both of which use the same identity and so a signed in identity with one can be used on the other (we were using 2 apps in the same Azure AD tenant)
Configure your authentication for those apps so they will set an auth cookie with samesite=LAX. Set as active auth that automatically redirects the user to login when accessing the site.
Set up a page on the first site (one.test.com) that includes an iframe to content on the second site (two.test.com)
Sign into the first site and access the page you've set up with the iframe.
Actual results:
The iframe ends up in an infinite loop. After auth, when the iframe returns to the site, the set-cookie header is present however it isn't then sent and so you are redirected to auth again.
If you refresh the page then the cookie has actually been set, and on that refresh the iframe won't even redirect to auth because it's already signed in.
Expected results:
The iframe should load, bouncing through the oauth flow and landing onto the specified url. This works fine when:
Default to lax is false (in FF about:config)
SameSite is set to none on the auth cookie
You're using chrome (any recent), edge or safari
What appears to confirm that the behaviour isn't intended is that if you refresh the page the cookie has actually been set and the iframed content will load / has a valid auth cookie, it's just not honoured immediately
The attached image shows the set cookie that doesn't get honoured. You can see in the network tab how you get sent straight back to auth again.
Comment 1•5 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Comment 2•5 years ago
|
||
Hi Tim,
do you have a test page so I can test it? thanks!
Comment 3•5 years ago
|
||
Moving this to the correct component.
Updated•5 years ago
|
Updated•5 years ago
|
Comment 4•5 years ago
|
||
I misinterpreted - I thought we were able to reproduce this. So I guess we still need a test case - re-flagging the reporter for this.
Tim, could you share an example test case to reproduce this?
Updated•4 years ago
|
Description
•