1753918 - Unable to use MKCad Parts Library on onshape.com with samesite=Lax enabled

Status: RESOLVED WONTFIX

(Core :: Networking: Cookies, defect, P2)

Description

[Ksenia Berezina [:ksenia]]

Attachment: Screen Shot 2022-02-07 at 12.06.51 AM.png

This was originally reported in https://github.com/webcompat/web-bugs/issues/98508.

The account on this website requires some additional set up, so to save time I've created this document with credentials that our team uses: https://docs.google.com/spreadsheets/d/1TMLRdbD8wag4Pd_Cnb1UMnvMcty8vZ-MMBGpI42lpys/edit?usp=sharing

1. To reproduce, visit https://cad.onshape.com/documents/2210444308077e83f4997f0d/w/c607e8118ca1e9676e2d777d/e/78390b83d42d2a4dacce4219 and sign in.
2. Click on blue "MK" icon on the right of the screen
3. Observe the behaviour

Actual:
Sign in panel is displayed and after sign in it's redirecting back to it again

Expected:
Table with content is displayed

Setting network.cookie.sameSite.laxByDefault to false fixes the problem

Comment 1

[Ksenia Berezina [:ksenia]]

Attachment: Screen Shot 2022-02-06 at 11.35.39 PM.png

The problem seems to be with missing cookies in this particular request:
(https://oauth.onshape.com/oauth/authorize?response_type=code&redirect_uri=https://mkcad.julias.ch/oauthRedirect&client_id=2ZT7X5D646R3LM3ZND7LGBTYRVM4SVH6CDDGM6I=).

the two missing cookies are on and on-session-id

Comment 2

[Ksenia Berezina [:ksenia]]

Attachment: Screen Shot 2022-02-06 at 11.34.23 PM.png

This is the same request with samesite=Lax enabled and those two cookies are sent (in addition, a 302 redirect is performed)

Comment 3

[Thomas Wisniewski [:twisniewski]]

Until the situation with samesite lax is resolved, we can try reaching out to the site to see if they can fix this on their end. (We should probaby do the same for the other sites listed on the meta bug). For now I'll set this to webcompat P2.

Comment 4

[Manuel Bucher [:manuel]]

We won't be shipping samesitelax by default, so all of this breakage bug can be closed: Bug 1617609