Firefox 102.15.1esr(64-bit) on linux.
Using Chrome 117.0.5938.62 on the same machine I can see the cookie from Webkeycard.com being passed in a request from keyboxmail.co… (read more)
Firefox 102.15.1esr(64-bit) on linux.
Using Chrome 117.0.5938.62 on the same machine I can see the cookie from Webkeycard.com being passed in a request from keyboxmail.com in a fetch call to webkeycard. In Firefox, there are no cors errors, the response.ok is true, but the credentials are *NOT* included in the fetch. Not in the headers, not in the cookie tab. There is absolutely nothing I can find that shows something is wrong.
The call to fetch():
credentials: "include"
method post
headers {"content-type": application/json"}
My webkeycard cookies (examined in a webkeycard session) seems good.
httponly is true, (but I don't support http)
secure true,
samesite none.
The cors response does include "keyboxmail.com"
HTTP/2 204 No Content
date: Thu, 12 Oct 2023 13:51:39 GMT
vary: Origin
access-control-allow-origin: https://keyboxmail.com
access-control-allow-credentials: true
access-control-allow-methods: GET,POST,OPTIONS
access-control-allow-headers: content-type
xcontent-security-policy: default-src 'self';
content-security-policy: connect-src 'self'; script-src https://webkeycard.com;
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dl1Y6Om7%2Bse%2Bl%2FIck8uQxTceVHCL%2F9tRBu%2BhBycJiARr4Q1dXEy9KxvU%2BRWocq0tX3fuAYRm%2FcBR%2FhtvFQsjvdzPqxwGLqo%2FlOVF%2F4GJzBpN3ANUyYkDlmC9Z%2BNd5TmQvg%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 814fd19d791bc3f3-EWR
alt-svc: h3=":443"; ma=86400
X-Firefox-Spdy: h2
One final note is that this is *NOT* user initiated. When the keyboxmail ui starts, it immediately attempts to find out if there is an account on webkeycard.
What makes this hard is that chrome (which I don't like but need to support) works
Any ideas, lines of attack?
On a broader note, webkeycard is something like "login with apple" but with anonymity. I have a working implementation using an "intent" kind of mechanism. keyboxmail server does a fetch to webkeycard server on receipt of a "getuser()" request. An "intent" is stored in a db on kbx, the user is sent a url, goes to wkc, blah, blah blah. I am trying to replace this complex interaction with the kbx user just fetching a token from wkc. Maybe this is a bad idea?
Thanks