My company's website (mercury.co) sends password reset links via email to users. We ran into some really weird behavior that we can only reproduce in the Gmail iOS app relating to the SameSite Lax attribute:
- The user follows a link in their email to https://mercury.co/reset-password
- The browser loads Javascript from that URL to set up the site
- The client does a GET request, which returns a CSRF token in a cookie. This token has the SameSite Lax attribute set.
- Expected behavior: The client can read the cookie with the CSRF token in it. Actual behavior: The client cannot read the cookie. We've determined this by doing an alert(document.cookie) and seeing the CSRF token is not there when same-site lax is set, but is there when the same-site attribute is not set.
This causes the next POST request to fail because it can't get the CSRF token to be sent to the server. Though, if you look at the cookies that are sent in the request, it includes the cookie that has the CSRF token in it.
My understanding is that the cookie should be readable, because it is not cross-site in this context. And it certainly should not be unreadable, and then sent to the server on the next request.
My understanding is that SameSite Lax cookies should not prevent the client from reading this cookie.
As a fix, we've determined we don't need the SameSite Lax attribute on this particular cookie. However, we'd still like to understand the underlying cause of this issue.
Some details our investigation so far:
- We can only reproduce the issue in the iOS Gmail app. We can't reproduce the issue by creating our own UIWebview or WKWebview (I ran in the iOS simulator for iOS 12.2). We can't reproduce it on the two iPads we tested on (though those are maybe different iOS versions). I tested on my iPhone running iOS 12.2
- Based on using this method: https://stackoverflow.com/a/18678703/1176156 our application is not embedded in an iframe or anything when run in Gmail. We also disallow wrapping our site in an iframe via header.
