Cookies from parent window aren't sent in iframe via srcDoc
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: p0z1ck, Unassigned)
References
(Depends on 1 open bug)
Details
(Whiteboard: [domsecurity-backlog2])
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Steps to reproduce:
- clone https://github.com/z0h3/mozilla_bug
- npm i
- node bin/www
- open http://localhost:5000 in Mozilla
- check nodejs console:
request cookie [Object: null prototype] {} - open http://localhost:5000 in Chrome (Version 95.0.4638.69 (Official Build) snap (64-bit))
- check nodejs console:
request cookie { mycookie: 'value' }
Actual results:
Cookies from srcDoc script haven't been sent to backend from Firefox, but have been sent from Chrome.
Expected results:
Cookie from srcDoc script should have been sent to backend from Firefox.
|
||
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Networking: Cookies' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
|
||
Comment 2•3 years ago
|
||
I can't find where this behavior is defined in spec, so it's not clear to me this is the expected behavior or not.
Anne, could you comment on this? Thanks.
|
||
Comment 3•3 years ago
|
||
See https://github.com/whatwg/html/issues/2641. We should use the same inheritance that we use for about:blank and such. (Ideally in the specification we introduce "cookie URL" and make it part of policy container. And ideally in Firefox we implement policy container to ensure copying/inheritance of policy state is done consistently.)
|
|
||
Comment 4•3 years ago
|
||
I think this is something that DOM:Security team might want to take.
|
||
Comment 5•2 years ago
•
|
||
How does the bug arise? the about:srcdoc document must have the correct principal on it or we'd be failing all kinds of other tests (wrong CSP and other policies). If you look up cookies by principal you should get the right set. If you're looking things up by URL then we must be getting the wrong cookies in a lot of other cases, too.
|
|
||
Updated•2 years ago
|
|
|
||
Comment 6•2 years ago
|
||
dveditz, policies are not automatically copied with the principal (we don't have the concept of policy container in Gecko). I'm pretty sure cookies are bound to a concept called "origin URI" (originURI) in Gecko and we probably haven't taken care of that here. (It being poorly defined (if at all) for over a decade doesn't help of course.)
DOM:Security makes sense to me as the place to own the conceptual (and hopefully eventually concrete) policy container.
|
|
||
Comment 7•2 years ago
|
||
The component has been changed since the backlog priority was decided, so we're resetting it.
For more information, please visit auto_nag documentation.
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Comment 8•2 years ago
|
||
Hi together,
We have the same issues too. This behavior comes out after Firefox updated the version to 96 with the enforced "sameSite=lax" policy. Our iframes via srcDoc don't inherit the parent's cookies anymore and so all ajax-calls fails now. This is a critical BUG! On chrome it works like a charm even if we set the cookie processor sameSiteCookies="lax". As workaround our clients must deactivate the default lax settings in about:config.
To reproduce this issue, implement an iframe in your application via srcDoc and execute an ajax call (GET). As the cookies are not send, the server should respond, that you aren't authenticated.
Thank you Guys.
|
||
Comment 9•1 year ago
|
||
The cookies of the origin are not visible to javascript inside an srcdoc iframe.
Not only for fetch requests.
I've added some more details to the reproducer.
Description
•