RESOLVED FIXED281385
Safari 18.0 Browser Extensions Fail to Set Cookies while expirationDate Exists 
https://bugs.webkit.org/show_bug.cgi?id=281385
Summary Safari 18.0 Browser Extensions Fail to Set Cookies while expirationDate Exists
K
Reported 2024-10-12 13:12:32 PDT
Starting from Safari 18.0, browser extensions (on iOS, iPadOS, and macOS) cannot set persistent cookies using `browser.cookies.set()` if the parameter `expirationDate` is present. For example, (a) this does not set cookies (the result of `browser.cookies.get("cookie_name")` is null: ============================= browser.cookies.set({ name: "cookie_name", url: "url_string_goes_here", value: "jwt_token_goes_here", domain: "domain_string_goes_here", secure: true, sameSite: "lax", expirationDate: number_of_seconds_to_live }); while (b) this works: ===================== browser.cookies.set({ name: "cookie_name", url: "url_string_goes_here", value: "jwt_token_goes_here", domain: "domain_string_goes_here", secure: true, sameSite: "lax", }); HOWEVER, (b) is now a "session" cookie that cannot be used to save JWTs. The moment the user closes the browser, they need to login again! This problem started from Safari 18.0, and did not exist in Safari 17. The current released of Safari (i.e., 18.0.1) still has this bug. Reference: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/cookies/set
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-10-12 13:12:40 PDT
<rdar://problem/137812683>
Timothy Hatcher
Comment 2 2024-10-21 17:17:27 PDT
Pull request: https://github.com/WebKit/WebKit/pull/35559
EWS
Comment 3 2024-10-22 06:41:56 PDT
Committed 285552@main (b66e4895df40): <https://commits.webkit.org/285552@main> Reviewed commits have been landed. Closing PR #35559 and removing active labels.
EWS
Comment 4 2024-10-28 15:43:51 PDT
Committed 283286.357@safari-7620-branch (2e81a87a6d53): <https://commits.webkit.org/283286.357@safari-7620-branch> Reviewed commits have been landed. Closing PR #2124 and removing active labels.
K
Comment 5 2025-02-01 19:58:23 PST
The issue seems to still be there. As soon as Safari quits, the cookie does not persist, and re-authentication is required. The issue has been introduced in Safari 18.0, and it still exists in the current version (18.3). The code below worked fine in previous Safari versions (15.x to 17.x). Example: const currentTime = Math.round(new Date().getTime() / 1000); const expiresAfter = 60 * 60 * 24 * 7; // 7 days const expirationDate = currentTime + expiresAfter; browser.cookies.set({ name: "cookie_name", url: "url_string_goes_here", value: "token_goes_here", domain: "domain_string_goes_here", secure: true, sameSite: "lax", expirationDate: expirationDate });
Note You need to log in before you can comment on or make changes to this bug.