Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Javascript cookies set in cross-site iframes are not detected/considered by PSAT #645

Open
lcrespilho opened this issue Apr 25, 2024 · 1 comment
Open

Javascript cookies set in cross-site iframes are not detected/considered by PSAT #645

lcrespilho opened this issue Apr 25, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@lcrespilho
Copy link

Describe the bug
Javascript cookies (those set with document.cookie) set in cross-site iframes are not being detected by PSAT. They are considered by the browser, though.

To Reproduce
Steps to reproduce the behavior:

  1. Create the https://domain-aaa.com/topframe.html file with this code:
<!DOCTYPE html>
<body>
  <iframe src="https://domain-bbb.com/iframe.html" frameborder="1"></iframe>
</body>
</html>
  1. Create the https://domain-bbb.com/iframe.html file with this code:
<!DOCTYPE html>
<body>
  <script>
    document.cookie = 'test=test1; SameSite=none; Secure'
  </script>
</body>
</html>
  1. Open Chrome via helper chrome-3pcd-ps.
  2. Open the page https://domain-aaa.com/topframe.html.

Obs: I have set up a similar test lab here: https://louren.co.in/PSAT/issue645/topframe.html

Expected behavior
The cross-site iframe tries to create a third-party cookie without the Partitioned attribute and can't because chrome-3pcd-ps has 3pc disabled. This is the expected behavior and even the DevTools console logs the try in the issues tab. The problem is that the try should be detected/logged by PSAT, but it doesn't.

Screenshots
Screenshot 1: DevTools issues panel evidencing that there was a failed attempt to create the 3PC without Partitioned attribute:
Screenshot 2024-04-25 at 12 55 56

Screenshot 2: PSAT didn't detect the failed attempt to create the cookie:
Screenshot 2024-04-25 at 12 58 35

Desktop (please complete the following information):

  • OS: MacOS 14.4.1 Sonoma
  • Browser: Chrome
  • Version: 124.0.6367.80 (Official Build) (arm64)

Additional context
PSAT System Information:

Open Tabs: 1
Active Extensions:
Google Docs Offline: ghbmnnjooekpmoecnnnilnnbdlolhkhi
Privacy Sandbox Analysis Tool: ikodlagpencphdljdpelmcajjlloiomb
Chrome Version: Version 124.0.0.0 (arm64)
PSAT Version: 0.7.0
OS - System Architecture: MacOS (arm64)
@milindmore22 milindmore22 added the bug Something isn't working label Apr 26, 2024
@milindmore22
Copy link
Collaborator

Hello @lcrespilho

Thanks for bringing this to our attention! You’re correct, PSAT’s JavaScript cookie detection (specifically the document.cookie ) is currently limited to the main website frame and doesn’t extend to sub frames (iframes).

We recognize this as a bug and are actively working on a fix. The solution will be included in an upcoming version, so stay tuned!
@GoogleChromeLabs GoogleChromeLabs deleted a comment May 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
2 participants
@milindmore22 @lcrespilho