New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 810035 link

Starred by 1 user
Status: Fixed
Owner:
falken@chromium.org
Closed: Jan 10
Cc:
creis@chromium.org
vamshi.k...@techmahindra.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 3
Type: Bug



Sign in to add a comment

Service Worker Navigation Preloads don't send SameSite cookies

Reported by steffen....@gmail.com, Feb 7 2018 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36

Steps to reproduce the problem:
1. Load the attached test-case from a secure origin (HTTPS or localhost)
2. Open the "Network" tab of the Developer Tools
3. Enable the "Preserve log" checkbox
4. Reload the page
5. Find the Navigation Preload request (its "Initiator" column value is "Preload")

What is the expected behavior?
The Navigation Preload request should send both demo cookies ("cookie" and "samesite-cookie").

What went wrong?
The Navigation Preload request sends the normal cookie ("cookie") but not the SameSite cookie ("samesite-cookie").

Did this work before? N/A 

Does this work in other browsers? Yes

Chrome version: 64.0.3282.140  Channel: stable
OS Version: 
Flash Version: 

The issue exists (at least) in Chrome 64.0.3282.140 and in Chrome 65.0.3325.31. I have not tested older versions.
Service Worker Navigation Preloads don't send SameSite cookies.zip
749 bytes Download
Screenshot from 2018-02-07 17-49-16-fs8.png
32.9 KB View Download

Comment 2 by nasko@chromium.org, Feb 7 2018

Owner: falken@chromium.org
Assigning to falken@ for initial triage.

Comment 3 by susanjun...@techmahindra.com, Feb 7 2018

Labels: Needs-Triage-M64

Comment 4 by vamshi.k...@techmahindra.com, Feb 8 2018

Cc: creis@chromium.org vamshi.k...@techmahindra.com
Labels: Triaged-ET
Thanks for filing the issue!

From Issue(796480)
@creis: Could you please confirm if this issue is similar to that of https://bugs.chromium.org/p/chromium/issues/detail?id=796480.

Comment 5 by falken@chromium.org, Feb 8 2018

Labels: -Pri-2 Pri-3
Status: Available (was: Unconfirmed)
It looks like  issue 796480  is unrelated; I think SameSite cookies just aren't supported now for Nav Preload, sorry:

// TODO(horo): Set site_for_cookies to support Same-site Cookies.
https://cs.chromium.org/chromium/src/content/browser/service_worker/service_worker_fetch_dispatcher.cc?l=696&rcl=0cd774907cd3d30b4daceb682420056fa5472ab2

Comment 6 by steffen....@gmail.com, Feb 8 2018 

Thank you for the research.

Navigations Preloads are recommended to speed up Service Workers (https://developers.google.com/web/updates/2017/02/navigation-preload). And Google recommends SameSite cookies as a CSRF countermeasure and more recently as a Meltdown/Spectre mitigation (https://developers.google.com/web/updates/2018/02/meltdown-spectre).

It's a bummer that these features are mutually exclusive at the moment. Any chance that this could be prioritized if the fix is not prohibitively complicated / technically expensive?

Comment 7 by benhenry@chromium.org, Aug 1

Status: Assigned (was: Available)

Comment 8 by steffen....@gmail.com, Nov 20 

This issue seems to be fixed in Chrome 72 (still broken in 71.0.3578.53 but works in 72.0.3610.2). Can someone confirm?

Comment 9 by falken@chromium.org, Jan 10

Labels: Target-71 FixedByS13nSW FoundIn-64 OS-Android OS-Chrome OS-Fuchsia OS-Mac OS-Windows
Status: Fixed (was: Assigned)
This was originally fixed by  issue 715640  as SeviceWorkerServicification started shipping (it was originally not shipping in 71 but is now shipping in 71), and then fixed for the non-servicified path by  issue 913220 .

We should add a WPT for this. I opened issue 920488.

Sign in to add a comment