koba04/safari-samesite-none.md

Summary

It depends on the setting of Prevent cross-site tracking whether Safari blocks 3rd party cookies even if SameSite is None.

How to Display SamSite=None is different from each browser

Chrome

Firefox

Safari

Thank you for the investigation 👍 Chrome is anticipated to introduce the same in 2022. Now we're forced to stop using 3d party cookies even for legit use-cases.

@grundmanise Yes, Chrome has postponed changing the default SameSite attribute Lax so the timeline might be changed.

Hello @koba04

That's pretty interesting finding. I am not sure if this is a bug but did you have a chance to talk with the Safari team?

@ceckoslab I've filed the issue and had an answer from the WebKit team.

The em dash (—) represents the "None" value, both in the case that it is explicitly specified (SameSite=None) and in the case that SameSite is entirely omitted (from what I understand, this will be interpreted as if SameSite=None).

https://bugs.webkit.org/show_bug.cgi?id=210178

Hello @koba04,

Thanks for responding so quickly. My question was more about the point "1. Does Safari block 3rd party cookies with SameSite=None?". The different behavior between Catalina and Mojave is the thing that worries me and looks like it could break things.

Are you aware of any bug reports about point 1?

Hello @koba04,

I think that I finally understood it. Seems that we have different behavior in Mojave and Catalina when Prevent cross-site tracking is enabled.

My confusion with this is that I can' find any release notes that say if that is the intended behavior. My theory is that in Catalina the Safari team fixed what was their initial intend with Prevent cross-site tracking in Mojave but probably they were not so strict in Mojave ...

Thanks for doing the research!

@ceckoslab As I mentioned https://gist.github.com/koba04/d52765516600ec51d1761bb0ce994a11#gistcomment-3305451, I've found that this depends on the setting of "Prevent cross-site tracking".
But I could not confirm that how Safari on Mojave behaves because I don't have any environments of Mojave.

Do you mean that there is a case that Mojave doesn't block 3rd party cookie?

Yes @koba04 , on Mojave I can see on SiteB the following cookies: foo=SiteBCookie; foo2=SiteBNone.

If I am right then probably it's worthy that we open another issue/question for the Safari team.

Reference:

OS version: macOS Mojave 10.14.6
Browser: Safari Version 13.1.1 (14609.2.9.1.3)

Prevent cross-site tracking: Enabled

Result from your test:

@ceckoslab Thank you for your investigation!

If I am right then probably it's worthy that we open another issue/question for the Safari team.

Yeah, I agree with you.
According to your research, it seems to be a current behavior that Safari 13.1 on Catalina blocks all 3rd party cookies. The blog post didn't mention the OS version though.
https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/

Hello @koba04

I filed a bug: https://bugs.webkit.org/show_bug.cgi?id=214608

But it looks like this is a feature ... concluded by reading some other people's bugs: https://bugs.webkit.org/show_bug.cgi?id=210298

Thank you!!

I was spinning my wheels trying to figure out what was going on with Safari and SameSite. This page saved me! Thank you very much!