| Summary: | Unable to set secure+httpOnly cookie for localhost in Safari from Node JS | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Raj <rajdeep91> | ||||
| Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> | ||||
| Status: | NEW --- | ||||||
| Severity: | Major | CC: | anagstef, andresg_22, beidson, gsnedders, julian.fortune, robertknight, webkit-bug-importer, wilander | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | Safari 15 | ||||||
| Hardware: | All | ||||||
| OS: | macOS 11 | ||||||
| Attachments: |
|
||||||
|
Description
Raj
2021-10-21 09:03:43 PDT
Oops, consider the below line of code uncommented
res.send("<h2>CGID is now set</h2>")
Http Cookie on Edge vs Safari
I am using node express server to set a httpOnly cookie on localhost:3000. I can see cookie setting on other browsers but not on Safari.
Here is HTML code:
<html>
<head>
<title> CGID Beta </title>
<script src="https://assets.adobedtm.com/43cf45b098bd/38a98b49e24d/launch-5d7d0d6eb58d-development.min.js" async></script>
</head>
<body>
<br><br><br>
<h1><center>Welcome to CGID beta program</center></h1><br><br><br><br>
<h3><center>To set a http only cookie click the below button</center></h3><br><br><br>
<center>
<form method="post" action="/">
<button type="submit">CLICK ME</button>
</form>
</center>
</body>
</html>
Here is node server-side code:
const express = require("express");
const bodyParser = require("body-parser")
const cookieParser = require('cookie-parser');
const { v4: uuidv4 } = require('uuid');
const app = express();
app.use(cookieParser());
app.use(bodyParser.urlencoded({
extended:true
}));
app.get("/", (req, res) => {
res.sendFile(__dirname + "/index.html");
});
app.post("/", function(req, res) {
res.cookie('CGID', uuidv4(), {
maxAge: 60*60*24*30*13,
httpOnly: true,
secure: true,
sameSite: "lax",
domain: 'localhost',
path: '/',
});
//res.send("<h2>CGID is now set</h2>")
});
app.listen(3000, () => {
console.log("Application started and Listening on port 3000");
});
Http Cookie on Edge vs Safari
I am using node express server to set a httpOnly cookie on localhost:3000. I can see cookie setting on other browsers but not on Safari.
Here is HTML code:
<html>
<head>
<title> CGID Beta </title>
<script src="https://assets.adobedtm.com/43cf45b098bd/38a98b49e24d/launch-5d7d0d6eb58d-development.min.js" async></script>
</head>
<body>
<br><br><br>
<h1><center>Welcome to CGID beta program</center></h1><br><br><br><br>
<h3><center>To set a http only cookie click the below button</center></h3><br><br><br>
<center>
<form method="post" action="/">
<button type="submit">CLICK ME</button>
</form>
</center>
</body>
</html>
Here is node server-side code:
const express = require("express");
const bodyParser = require("body-parser")
const cookieParser = require('cookie-parser');
const { v4: uuidv4 } = require('uuid');
const app = express();
app.use(cookieParser());
app.use(bodyParser.urlencoded({
extended:true
}));
app.get("/", (req, res) => {
res.sendFile(__dirname + "/index.html");
});
app.post("/", function(req, res) {
res.cookie('CGID', uuidv4(), {
maxAge: 60*60*24*30*13,
httpOnly: true,
secure: true,
sameSite: "lax",
domain: 'localhost',
path: '/',
});
res.send("<h2>CGID is now set</h2>")
});
app.listen(3000, () => {
console.log("Application started and Listening on port 3000");
});
Thanks for filing. (In reply to Raj from comment #0) > Created attachment 442035 [details] > Http Cookie on Edge vs Safari > > I am using node express server to set a httpOnly cookie on localhost:3000. I > can see cookie setting on other browsers but not on Safari. > > > Here is HTML code: > > <html> > <head> > <title> CGID Beta </title> > <script > src="https://assets.adobedtm.com/43cf45b098bd/38a98b49e24d/launch- > 5d7d0d6eb58d-development.min.js" async></script> > </head> > <body> > <br><br><br> > <h1><center>Welcome to CGID beta > program</center></h1><br><br><br><br> > <h3><center>To set a http only cookie click the below > button</center></h3><br><br><br> > <center> > <form method="post" action="/"> > <button type="submit">CLICK ME</button> > </form> > </center> > </body> > </html> > > > Here is node server-side code: > > const express = require("express"); > const bodyParser = require("body-parser") > const cookieParser = require('cookie-parser'); > const { v4: uuidv4 } = require('uuid'); > > const app = express(); > > app.use(cookieParser()); > > app.use(bodyParser.urlencoded({ > extended:true > })); > > app.get("/", (req, res) => { > res.sendFile(__dirname + "/index.html"); > }); > > app.post("/", function(req, res) { > res.cookie('CGID', uuidv4(), { > maxAge: 60*60*24*30*13, > httpOnly: true, > secure: true, Are you using a self-signed certificate for localhost and serving all of its resources over https? Secure cookies are not accepted from non-secure pages. > sameSite: "lax", > domain: 'localhost', > path: '/', > }); > //res.send("<h2>CGID is now set</h2>") > }); > > app.listen(3000, () => { > console.log("Application started and Listening on port 3000"); > }); (In reply to John Wilander from comment #6) > Are you using a self-signed certificate for localhost and serving all of its > resources over https? Secure cookies are not accepted from non-secure pages. This is notably different to every other browser where localhost is treated as a secure context; this is likely another dupe of bug 218980 as a result. We got tripped up by this today. Something that makes it extra confusing is that Safari does treat localhost as secure in other respects (eg. `window.isSecureContext`). (In reply to John Wilander from comment #6) Thank you for this extremely helpful clarification: > Are you using a self-signed certificate for localhost and serving all of its > resources over https? Secure cookies are not accepted from non-secure pages. This issue tripped up my team for several hours today, and although the behavior makes sense, but it would be helpful to have more documentation. I would also like to note that chromium and gecko engines have different behavior and accept the cookie. Thanks, Julian (In reply to Robert Knight from comment #8) > We got tripped up by this today. Something that makes it extra confusing is > that Safari does treat localhost as secure in other respects (eg. > `window.isSecureContext`). I agree with this. Is there a reasoning/explanation on why the `window.isSecureContext` returns `true` on `localhost` but then it rejects cookies with the `Secure` attribute? Thanks! |