In iOS18, WKWebView's default cookie SameSite value is Lax. Prior to iOS18, the default value is None.
Is this intentional, or a bug? This change is not documented anywhere.
I made a sample XCode project (ViewController code below) to show this change. It loads www.apple.com into a WKWebView and prints cookies. That site has several cookies, but it only explicitly sets SameSite to None for one cookie, s_vi. Every other cookie relies on default WKWebView behavior. When looking at cookies, either in the console or in Safari's Web Inspector, the SameSite value differs. If older than iOS18, every cookie has SameSite of None. If iOS18, all cookies except s_vi have SameSIte of Lax.
I also tried manually setting the following cookies:
testCookie-none with SameSite set to None
testCookie-lax with SameSite set to Lax
testCookie-strict with SameSite set to Strict
testCookie- with SameSite set to an empty string
When looking at these cookies, testCookie-none and testCookie- have their SameSite of None if older than iOS18, but are both Lax in iOS18. So, it seems we cannot manually set the SameSIte to None either.
I realize updating the server to return the SameSite value would resolve this. However, in my app where I'm struggling with this issue, that server is Salesforce. Only they can update their response headers. Since this change isn't documented by Apple, I am assuming it is a bug and not intentional. Are there any workarounds? Any input by Apple on a fix?
Below is the ViewController code, and images of the cookies in Safari's Web Inspector.
import UIKit
import WebKit
class ViewController: UIViewController, WKNavigationDelegate {
var webView: WKWebView!
override func loadView() {
// Create WKWebView
let config = WKWebViewConfiguration()
webView = WKWebView(frame: .zero, configuration: config)
// Allow inspection in Safari debugger
webView.isInspectable = true
// Track the request to load our website
webView.navigationDelegate = self
// Manually add four cookies:
// testCookie-none with SameSite set to None
// testCookie-lax with SameSite set to Lax
// testCookie-strict with SameSite set to Strict
// testCookie- with SameSite set to an empty string
addTestCookies()
view = webView
}
override func viewDidLoad() {
super.viewDidLoad()
// Load a website
let urlString = "https://www.apple.com"
self.webView.load(URLRequest(url: URL(string:urlString)!))
}
// Once the website loads, print the cookies.
func webView(_ webView: WKWebView, didFinish navigation: WKNavigation!) {
WKWebsiteDataStore.default().httpCookieStore.getAllCookies { cookies in
for cookie in cookies {
print(cookie)
}
}
}
/*
Manually add the following cookies for domain .apple.com
testCookie-none with SameSite set to None
testCookie-lax with SameSite set to Lax
testCookie-strict with SameSite set to Strict
testCookie- with SameSite set to an empty string
In older iOS versions, both testCookie-none and testCookie- will have their SameSite as none.
In iOS18, no cookie will have SameSite as None.
*/
func addTestCookies()
{
let httpCookieStore = WKWebsiteDataStore.default().httpCookieStore
for sameSitePolicy in ["none", "lax", "strict", ""] {
httpCookieStore.setCookie(HTTPCookie(properties: [
HTTPCookiePropertyKey.path: "/",
HTTPCookiePropertyKey.name: "testCookie-"+sameSitePolicy,
HTTPCookiePropertyKey.value: "1",
HTTPCookiePropertyKey.domain: ".apple.com",
HTTPCookiePropertyKey.secure: true,
HTTPCookiePropertyKey.sameSitePolicy: sameSitePolicy
])!)
}
}
}