Cookies not sent on 302 redirects when SameSite=Strict
Reported by
ryanholl...@gmail.com,
Dec 27 2016
|
||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.44 Safari/537.36 Steps to reproduce the problem: 1. Make POST to end point that returns a cookie with SameSite=Strict 2. Have POST respond with a 302 redirect to same URL (PRG) and set a cookie with SameSite=Strict 3. Notice that the cookie set by the 302 is not sent on the GET request. 3. What is the expected behavior? Since it is a get request on the same page it is expected that the SameSite=Strict cookie is sent. What went wrong? Cookies were not sent to the follow on GET request. If you use Lax it works, but it seems according to the SameSite draft spec and the definition of Safe methods (https://tools.ietf.org/html/rfc7231#section-4.2.1) they should be sent. Did this work before? No Chrome version: 55.0.2883.44 Channel: n/a OS Version: OS X 10.12.1 Flash Version: Shockwave Flash 24.0 r0
,
Dec 27 2016
,
Dec 27 2016
Not something we'd usually consider a security bug, but thanks for the report either way. Reclassifying it and removing view restrictions so that the network team can take a look.
,
Dec 28 2016
[+mkwst]: Mind following up on this when you get back? I'm not too familiar with the expectations here. I don't think there's enough information here to understand what's going on. What type of POST is this? A main frame form? An iframe form? And XHR/fatch POST? In the latter two cases, is the domain of main frame the same site as the one the POST is being made to or not? I'm not the expert here, but I'm guessing that the POST is cross-site, so we consider the GET cross-site as well (Which may or may not be according to spec).
,
Dec 28 2016
In the attached HAR you can see the request. It is a main frame POST. The initial POST request origin is a different domain, but I don't think that should matter. The POST response sets a cookie: set-cookie q2token=50sxdarlr5rr3xmntoeq4o5h; SameSite=Strict It also a 302 with a location: location /uux.aspx?logonErrorReturnCode=0&logonHttpStatusCode=200&logonExternalLogonName=autoret On the follow on GET to the specified location in the 302, the q2token cookie is not being sent. Removing SameSite=String or making SameSite=Lax WILL pass the cookie properly.
,
Dec 28 2016
Thanks for the followup! Removing Needs-Feedback label.
,
Mar 17 2017
Here's another repro case: https://gist.github.com/isaacs/8d957edab609b4d122811ee945fd92fd Run the node script, load it up in a browser, and follow the instructions. It's interesting that clicking the link from within _does_ work, but dragging (or copying) direct to the URL bar does not.
,
Mar 17 2017
Maybe related to: https://bugs.chromium.org/p/chromium/issues/detail?id=659554
,
Mar 17 2017
andreaslindpetersen: Thanks for the pointer, but different issue - that one is almost certainly because we aren't setting required security-related fields on <a download> requests (May also apply to save-link/image/whales-as requests), but since this is a POST request, don't think it's the same issue.
,
Mar 18 2017
I missed this, thanks for pinging me on Twitter. I'll take a look on Monday when I'm back at a computer.
,
Oct 4
(Unassigning myself, marking untriaged in preparation to retriage with folks who will do a better job taking care of cookies than I've been able to)
,
Jan 15
|
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by ryanholl...@gmail.com
, Dec 27 2016