CFNetwork not handling cookie attribute "SameSite=none" correctly in macOS <10.15

Google are starting to enforce stricter cookie handling in Chrome 80 next week. In researching this change it appears iOS 12 and below and macOS 10.14 and below have a core networking issue that prevents proper handling of the "Samesite=none" cookie attribute.


It's reported that older versions of CFNetwork/Safari/Webkit erroneously handle "Samesite=none" as the equivalent of "Samesite=strict". This might have big consequences as web service providers start using the Samesite attribute more widely.


There are details in the Webkit bug 198181 (now resolved) thread here: https://bugs.webkit.org/show_bug.cgi?id=198181


Part way down is a reference to a CFNetwork/NSHTTPCookie fix for this issue under rdar://problem/42290578.


However, other comments indicate that this fix is unlikely to be back ported to previous macOS & iOS versions.



Does anyone have a definitive answer as to whether iOS 11/12 and macOS 10.13/10.14 will recieve a fix for the cookie Samesite handling issue?

Replies

Does anyone have a definitive answer as to whether iOS 11/12 and macOS 10.13/10.14 will recieve a fix for the cookie Samesite handling issue?

You generally won’t get an answer to questions like this on DevForums. Those folks who don’t know, including myself, can only speculate. And any Apple folks who do know won’t make announcements like that here.

My experience is that Apple only ships software updates for old iOS versions to deal with critical security problems. Given that, I’d be very surprised if there was fix for this for pre-iOS 13 releases.

Software updates for old Mac releases have a little more latitude. If you’d like to see this bug fix (r. 42290578) on older macOS releases, you should file your own bug report requesting that.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Reported as FB7586636.


We now have data that shows 12.7% (>5,000) of devices (the vast majority being Apple devices) accessing our web services are likely to be affected by the samesite=none cookie handling issue.
We are anxious to preserve a good user experience for these devices and to prevent web services suppliers having to reduce standard security settings for these users by unreliable means including User Agent sniffing etc.
I believe it can be argued that the inability to properly handle samesite=none (& its other variations) will have a material effect on the future online security of users of older macOS & iOS versions.

Even after adding sameSite=None; Secure , latest safari version 13 on MacOS 10.15 , we are still seeing an issue of session timed out with third party cookies, and chrome works really well with this approach. Is this expected ? for sure no from above converation or links. Could you guys please confirm . Any further details or information is much appreciated . Thanks

Hi Eskimo,

Hope you are doing well !!

Even after adding sameSite=None; Secure , latest safari version 13 on MacOS 10.15 , we are still seeing an issue of session timed out with third party cookies, and chrome works really well with this approach. Is this expected ? for sure no from above converation or links mentioned. Could you please confirm . Any further details or information is much appreciated .
Just recently seen similar issue on iPad with below details

Software Version – 13.3.1

Model Name – iPad Pro (9.7 inch)

Any help would be of great help.
Thanks in advance.

i have this situation too

I also encountered this problem when using version 13.1.1, and I had to cancel the 'prevent cross site tracking' option. But this kind of operation obviously brings some potential problems.
Chrome and Firefox do a good job in this aspect. Can we also deal with the samesite problem?
SameSite=None cannot be set in iOS 12.
So, when linking with an external site, the previous session data disappears.

Apple, please tell me how to work around this problem or fix the bug
I'm seeing the same problem in Safari 14.x, is there any work around or fix for this issue?
Getting this issue on Safari 14
Same here. Adding to bump the issue. Come on, Apple.
I seeing similar issue with SameSite=None, which affecting attribution for thousands of users. This SameSite=None is working correctly on all other browsers except Safari.
@Apple any update on the fix for this issue ?