Summary: | Unable to set secure+httpOnly cookie for localhost in Safari from Node JS | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Raj <rajdeep91> | ||||
Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | NEW --- | ||||||
Severity: | Major | CC: | anagstef, andresg_22, beidson, gsnedders, julian.fortune, robertknight, webkit-bug-importer, wilander | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | Safari 15 | ||||||
Hardware: | All | ||||||
OS: | macOS 11 | ||||||
Attachments: |
|
Description
Raj
2021-10-21 09:03:43 PDT
Oops, consider the below line of code uncommented res.send("<h2>CGID is now set</h2>") Http Cookie on Edge vs Safari I am using node express server to set a httpOnly cookie on localhost:3000. I can see cookie setting on other browsers but not on Safari. Here is HTML code: <html> <head> <title> CGID Beta </title> <script src="https://assets.adobedtm.com/43cf45b098bd/38a98b49e24d/launch-5d7d0d6eb58d-development.min.js" async></script> </head> <body> <br><br><br> <h1><center>Welcome to CGID beta program</center></h1><br><br><br><br> <h3><center>To set a http only cookie click the below button</center></h3><br><br><br> <center> <form method="post" action="/"> <button type="submit">CLICK ME</button> </form> </center> </body> </html> Here is node server-side code: const express = require("express"); const bodyParser = require("body-parser") const cookieParser = require('cookie-parser'); const { v4: uuidv4 } = require('uuid'); const app = express(); app.use(cookieParser()); app.use(bodyParser.urlencoded({ extended:true })); app.get("/", (req, res) => { res.sendFile(__dirname + "/index.html"); }); app.post("/", function(req, res) { res.cookie('CGID', uuidv4(), { maxAge: 60*60*24*30*13, httpOnly: true, secure: true, sameSite: "lax", domain: 'localhost', path: '/', }); //res.send("<h2>CGID is now set</h2>") }); app.listen(3000, () => { console.log("Application started and Listening on port 3000"); }); Http Cookie on Edge vs Safari I am using node express server to set a httpOnly cookie on localhost:3000. I can see cookie setting on other browsers but not on Safari. Here is HTML code: <html> <head> <title> CGID Beta </title> <script src="https://assets.adobedtm.com/43cf45b098bd/38a98b49e24d/launch-5d7d0d6eb58d-development.min.js" async></script> </head> <body> <br><br><br> <h1><center>Welcome to CGID beta program</center></h1><br><br><br><br> <h3><center>To set a http only cookie click the below button</center></h3><br><br><br> <center> <form method="post" action="/"> <button type="submit">CLICK ME</button> </form> </center> </body> </html> Here is node server-side code: const express = require("express"); const bodyParser = require("body-parser") const cookieParser = require('cookie-parser'); const { v4: uuidv4 } = require('uuid'); const app = express(); app.use(cookieParser()); app.use(bodyParser.urlencoded({ extended:true })); app.get("/", (req, res) => { res.sendFile(__dirname + "/index.html"); }); app.post("/", function(req, res) { res.cookie('CGID', uuidv4(), { maxAge: 60*60*24*30*13, httpOnly: true, secure: true, sameSite: "lax", domain: 'localhost', path: '/', }); res.send("<h2>CGID is now set</h2>") }); app.listen(3000, () => { console.log("Application started and Listening on port 3000"); }); Thanks for filing. (In reply to Raj from comment #0) > Created attachment 442035 [details] > Http Cookie on Edge vs Safari > > I am using node express server to set a httpOnly cookie on localhost:3000. I > can see cookie setting on other browsers but not on Safari. > > > Here is HTML code: > > <html> > <head> > <title> CGID Beta </title> > <script > src="https://assets.adobedtm.com/43cf45b098bd/38a98b49e24d/launch- > 5d7d0d6eb58d-development.min.js" async></script> > </head> > <body> > <br><br><br> > <h1><center>Welcome to CGID beta > program</center></h1><br><br><br><br> > <h3><center>To set a http only cookie click the below > button</center></h3><br><br><br> > <center> > <form method="post" action="/"> > <button type="submit">CLICK ME</button> > </form> > </center> > </body> > </html> > > > Here is node server-side code: > > const express = require("express"); > const bodyParser = require("body-parser") > const cookieParser = require('cookie-parser'); > const { v4: uuidv4 } = require('uuid'); > > const app = express(); > > app.use(cookieParser()); > > app.use(bodyParser.urlencoded({ > extended:true > })); > > app.get("/", (req, res) => { > res.sendFile(__dirname + "/index.html"); > }); > > app.post("/", function(req, res) { > res.cookie('CGID', uuidv4(), { > maxAge: 60*60*24*30*13, > httpOnly: true, > secure: true, Are you using a self-signed certificate for localhost and serving all of its resources over https? Secure cookies are not accepted from non-secure pages. > sameSite: "lax", > domain: 'localhost', > path: '/', > }); > //res.send("<h2>CGID is now set</h2>") > }); > > app.listen(3000, () => { > console.log("Application started and Listening on port 3000"); > }); (In reply to John Wilander from comment #6) > Are you using a self-signed certificate for localhost and serving all of its > resources over https? Secure cookies are not accepted from non-secure pages. This is notably different to every other browser where localhost is treated as a secure context; this is likely another dupe of bug 218980 as a result. We got tripped up by this today. Something that makes it extra confusing is that Safari does treat localhost as secure in other respects (eg. `window.isSecureContext`). (In reply to John Wilander from comment #6) Thank you for this extremely helpful clarification: > Are you using a self-signed certificate for localhost and serving all of its > resources over https? Secure cookies are not accepted from non-secure pages. This issue tripped up my team for several hours today, and although the behavior makes sense, but it would be helpful to have more documentation. I would also like to note that chromium and gecko engines have different behavior and accept the cookie. Thanks, Julian (In reply to Robert Knight from comment #8) > We got tripped up by this today. Something that makes it extra confusing is > that Safari does treat localhost as secure in other respects (eg. > `window.isSecureContext`). I agree with this. Is there a reasoning/explanation on why the `window.isSecureContext` returns `true` on `localhost` but then it rejects cookies with the `Secure` attribute? Thanks! |