Sep 03 2024 08:32 PM - edited Sep 03 2024 09:04 PM
Hi,
We've noticed an issue with the latest Teams macOS client regarding cookie handling in the Teams Tab App (loaded in an iframe). Specifically, cookies are being partitioned with a unique partition key, even though the Partitioned attribute has not been explicitly set.
Interestingly, if a 3rd-party cookie isn’t set within the Teams Tab App (i.e., the iframe), the cookie doesn’t get partitioned. This can result in two cookies with the same name but different values being set in the same browser. When both cookies are sent to the server, the non-partitioned cookie appears first in the Cookie header, causing the server to always use this one. To make it worse, the cookie set without the partition key will never be updated.
Here’s the scenario we encountered:
1. We have both a Teams Bot and a Teams Tab App.
2. The Teams Bot sends a card message to a personal chat, which contains an image hosted on our web server.
3. When the card message is rendered, the image is loaded from our server, and the server sets a LoadBalancer cookie.
4. The Teams client saves this LoadBalancer cookie without a partition key.
5. When the user opens the Teams Tab App, the client loads the Tab App from the same server in an iframe.
6. The server sets another LoadBalancer cookie for requests coming from the Tab App.
7. However, this time, the Teams client saves the LoadBalancer cookie with a partition key.
8 The Teams client then sends both cookies to the server, but the server always uses the non-partitioned cookie since it appears first
9. One workaround we’ve tried is using a base64 encoded image in the card message, but this isn’t an ideal solution as it increases the size of the message, especially for larger images.
We would appreciate it if the Teams client could:
1. Always set the partition key for 3rd-party cookies, not just when the cookie is set within the Tab App (i.e., iframe). The current behavior doesn’t seem to align with the CHIPS specification.
2. Proxy the image in the card message through the Teams domain, rather than loading the 3rd-party image directly. We’ve noticed that the Teams client already does this for some cards but not consistently across all cards.
Sep 04 2024 01:17 AM
Sep 05 2024 12:34 AM
@zyue_mstr - This behavior is expected. We force partition all embedded/iframed app cookies in the Teams Desktop Client (for both Mac and Windows) in order to support isolation of cookies and other offline storage across the multiple user accounts that the New Teams Client supports.
The most viable short-term mitigation here is to use different domain/path for the images used in their adaptive cards vs their tabs. That would avoid causing collisions between their partitioned and unpartitioned cookies.
Sep 05 2024 03:37 AM
I understand you force partition all embedded/iframe app cookies in the Teams Desktop. However, it looks like the implementation has ignored the third-party cookies set from the personal chat pannel.
It happens when a message card contains an image which is loaded from a third-party web site. If the image request set a cookie, then that cookie is not partitioned. Is this a flaw or a potential security hole since the 3rd-party cookies are not completely isolated across multiple accounts?
For example, the picture below will load an image from the personal chat. And this image request will set a third-party cookie, this cookie is not partitioned by the Teams client and it is shared by all accounts opened the same website.
Another problem is that we found that Teams has rewritten some images' URL from the same site. The pie chart image in the picture below is also loaded from our website, but the Teams client rewrites it. You can see the domain is no longer ours. However, it doesn't rewrite the image URL in the above picture. Both images' URL are built from the same domain and included in the Adpative Card. One image URL is rewrited while another is not. Is this a problem?
Sep 06 2024 03:32 AM