Cookies set by popup launched from iframe (popup same-origin of iframe, iframe not same-origin of host page) are not readable when iframe reloads
Categories
(Core :: Privacy: Anti-Tracking, defect)
Tracking
()
People
(Reporter: marcus90, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Steps to reproduce:
- Open a web page hosted on one site that embeds an application page in an iframe on a different host, but still within the same site.
- The iframe initially shows a reauthentication/sign-in-required page.
- Click the sign-in button inside the iframe flow, which opens a popup window on the iframe’s site. (this is specifically MSAL/OWIN with the Popup auth method)
- Complete the login flow in the popup. The popup finishes successfully and notifies the opener that authentication is complete.
- Reload the iframe, or reload the top-level page so the iframe loads again.
Notes:
- The iframe is cross-origin relative to the top-level page, but the popup and iframe are same-site with each other.
- The issue is specifically about cookie availability between popup and iframe contexts after a successful popup login.
- Chromium-based browsers handle the same flow correctly.
- Gecko/Firefox on mobile is also affected.
Actual results:
In Firefox, the popup login completes successfully, but the iframe remains unauthenticated after reload. The embedded page continues to show the sign-in/reauthentication UI instead of the authenticated application content.
The behavior suggests that the authentication cookie available in the popup context is not being made available to the iframe context, even after the popup flow has completed and the iframe is reloaded. Upon inspection, the cookie set by the popup (.AspNet.Cookies, SameSite=none, HttpOnly=true, Secure=true, HostOnly=true, Domain=<iframedomain>) is not readable from the iframe, but is readable if the popup is opened again for reauth.
This is reproducible in Firefox and does not reproduce in Chromium-based browsers, where the same popup login flow results in the iframe being able to read the cookie and becoming authenticated as expected.
Expected results:
Once authentication has completed in the popup, a subsequent iframe reload should observe the authenticated state and load the application normally.
(user agent is of Chromium browser, Firefox UA for testing is: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150.0) Gecko/20100101 Firefox/150.0)
|
||
Updated•20 days ago
|
|
||
Comment 2•19 days ago
|
||
Hi Reporter,
I’m not able to reproduce this on my side. Could you provide a minimal example that demonstrates the issue?
That would help us a lot in figuring this out.
Thanks.
I'd really love to, but it's happening on a SharePoint company site that embeds an IFrame, so I'm unable to give you a minimal repro. The most I believe I can do is share privately a HAR file with the issue, or try to grab some information for you on my end.
|
||
Comment 4•12 days ago
|
||
Hello marcus905,
Thank you for filing the bug report.
In addition to HAR file, could you please capture http logs for the issue as well?
Kindly select the cookie preset and log the output to a file and send it to necko@mozilla.com.
Log sent at that email address.
|
||
Comment 6•8 days ago
|
||
Thanks for the report. This sounds a bit like bug 2013783, but probably not the same.
Does Safari also handle the issue correctly, or just Chrome?
Could you also disable Enhanced tracking protection for the site and see if works?
https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop
Thanks!
Hi, we couldn't test safari on a Mac yet, but we had not received any report of it not working companywide, so I'd assume it works.
Disabling Enhanced tracking protection the IFrame works normally.
What is happening?
|
|
||
Comment 8•4 days ago
|
||
Moving to Privacy since this is mitigated by disabling ETP
cookie logs here: https://drive.google.com/drive/folders/1AsFcji90Kx-asnnUtOAl2k702oukcz1A?usp=drive_link (Mozilla only)
Description
•