New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 704123 link

Starred by 4 users
Status: Available
Owner: ----
Cc:
mkwst@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Cookies with SameSite=strict not sent for initial GET requests in special cercumstances

Reported by luzar.da...@gmail.com, Mar 22 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36

Steps to reproduce the problem:
1. Initialize a SameSite=strict (auth) cookie
2. Do *any* of the following:
  a) duplicate tab
  b) close tab & `ctrl + shift + t` to re-open it
  c) navigate to different origin, and use `back` button to navigate back
  d) deliberately crash the tab via Chrome Task Manager, and refresh it

What is the expected behavior?
The initial GET request to the server to fetch `index.html` should send the auth cookie alongside the request.

What went wrong?
The SameSite=strict cookie is not sent until later requests.

Did this work before? N/A 

Does this work in other browsers? Yes

Chrome version: 57.0.2987.98  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: 

Happens on Canary channel as well. AFAIK other browsers do not yet implement it so can't repro.

Sorry for not tagging the issue, it let me only choose from blink categories FSR.

Related:

https://bugs.chromium.org/p/chromium/issues/detail?id=677164
https://bugs.chromium.org/p/chromium/issues/detail?id=626243

Comment 1 by luzar.da...@gmail.com, Mar 22 2017 

Also forgot to add the cookie domain is set to `example.com` without the preceding dot.

Comment 2 by rch@chromium.org, Mar 23 2017

Components: Internals>Network>Cookies

Comment 3 by rch@chromium.org, Mar 23 2017 

Can you collect a net-internals trace?

https://dev.chromium.org/for-testers/providing-network-details

Comment 4 by luzar.da...@gmail.com, Mar 24 2017 

Sent via email in case there is some sensitive info.

Comment 5 by mmenke@chromium.org, Mar 24 2017

Cc: mkwst@chromium.org
Components: Blink>SecurityFeature

Comment 6 by ajha@chromium.org, Mar 27 2017

Labels: Needs-Triage-M57

Comment 7 by durga.behera@chromium.org, Mar 29 2017

Labels: TE-NeedsTriageHelp
It looks to be out of scope from TE end, please add the steps if it can be reproduced and remove the label "TE-NeedsTriageHelp".

Comment 8 by mkwst@chromium.org, Apr 5 2017

Components: UI>Browser>Navigation
Labels: OS-Android OS-Chrome OS-Linux OS-Mac
Status: Available (was: Unconfirmed)
Yeah. It looks like we're still not getting the initiator right in the NavigationEntry. We should get this fixed.

Comment 9 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 10 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Comment 11 by dumbd...@gmail.com, Mar 16 2018 

Not 100% sure if this is directly related, but it seems like a "special circumstance" in which the cookies should be sent.

To prevent tabnabbing, scripts like blankshield (https://github.com/danielstjules/blankshield) will listen for the click event and prevent the default browser behavior of opening a new tab. Inject a hidden iframe that opens the new tab, then immediately remove the iframe.

The iframe doesn't have a domain, it is location is "about:blank". When the iframe opens the new tab/window (via window.open(...) in it's context) it should send the SameSite=Strict cookies in the request. This was working until M65. I am not sure if it was intentionally removed.

I can understand the case with "Site A" opens "Site B" via "about:blank" iframe and not sending the cookies, but what about the case where "Site A" opens "Site A" via "about:blank"? That seems like it should send the cookies.

Comment 12 by mmenke@chromium.org, Apr 25 2018

Components: -Internals>Network>Cookies
Not really a network issue - not sure if this was fixed.

Sign in to add a comment