281385 2024-10-12 13:12:32 -0700 Safari 18.0 Browser Extensions Fail to Set Cookies while expirationDate Exists 2025-02-01 19:58:23 -0800 1 1 1 Unclassified WebKit WebKit Extensions Safari 18 All macOS 15 RESOLVED FIXED InRadar P2 Critical --- 283110 1 khaledenglish timothy timothy webkit-bug-importer oldest_to_newest 2067524 0 khaledenglish 2024-10-12 13:12:32 -0700 Starting from Safari 18.0, browser extensions (on iOS, iPadOS, and macOS) cannot set persistent cookies using `browser.cookies.set()` if the parameter `expirationDate` is present. For example, (a) this does not set cookies (the result of `browser.cookies.get("cookie_name")` is null: ============================= browser.cookies.set({ name: "cookie_name", url: "url_string_goes_here", value: "jwt_token_goes_here", domain: "domain_string_goes_here", secure: true, sameSite: "lax", expirationDate: number_of_seconds_to_live }); while (b) this works: ===================== browser.cookies.set({ name: "cookie_name", url: "url_string_goes_here", value: "jwt_token_goes_here", domain: "domain_string_goes_here", secure: true, sameSite: "lax", }); HOWEVER, (b) is now a "session" cookie that cannot be used to save JWTs. The moment the user closes the browser, they need to login again! This problem started from Safari 18.0, and did not exist in Safari 17. The current released of Safari (i.e., 18.0.1) still has this bug. Reference: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/cookies/set 2067525 1 webkit-bug-importer 2024-10-12 13:12:40 -0700 <rdar://problem/137812683> 2069717 2 timothy 2024-10-21 17:17:27 -0700 Pull request: https://github.com/WebKit/WebKit/pull/35559 2069791 3 ews-feeder 2024-10-22 06:41:56 -0700 Committed 285552@main (b66e4895df40): <https://commits.webkit.org/285552@main> Reviewed commits have been landed. Closing PR #35559 and removing active labels. 2071079 4 ews-feeder 2024-10-28 15:43:51 -0700 Committed 283286.357@safari-7620-branch (2e81a87a6d53): <https://commits.webkit.org/283286.357@safari-7620-branch> Reviewed commits have been landed. Closing PR #2124 and removing active labels. 2091277 5 khaledenglish 2025-02-01 19:58:23 -0800 The issue seems to still be there. As soon as Safari quits, the cookie does not persist, and re-authentication is required. The issue has been introduced in Safari 18.0, and it still exists in the current version (18.3). The code below worked fine in previous Safari versions (15.x to 17.x). Example: const currentTime = Math.round(new Date().getTime() / 1000); const expiresAfter = 60 * 60 * 24 * 7; // 7 days const expirationDate = currentTime + expiresAfter; browser.cookies.set({ name: "cookie_name", url: "url_string_goes_here", value: "token_goes_here", domain: "domain_string_goes_here", secure: true, sameSite: "lax", expirationDate: expirationDate });