New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 625401 link

Starred by 2 users
Status: Duplicate
Merged: issue 619603
Owner: ----
Closed: Jul 2016
Cc:
mkwst@chromium.org
durga.behera@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Strict same-site cookies not sent on prefetch/prerender

Reported by sjoer...@gmail.com, Jul 2 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0

Example URL:

Steps to reproduce the problem:
1. Set a same-site cookie:
Set-Cookie: strictcookie=helloworld; samesite=strict
2. Prefetch a page on the same domain:
<link rel="prefetch" href="somepage">

What is the expected behavior?
I expect the request to "somepage" to contain the cookie "strictcookie".

What went wrong?
The request does not contain the strict same-site cookie. It does contain lax or normal cookies.

Did this work before? No 

Chrome version: 54.0.2786.0 (Official Build) canary (64-bit)  Channel: canary
OS Version: OS X 10.11
Flash Version:

Comment 1 Deleted

Comment 2 by l446240525@gmail.com, Jul 2 2016 

Cc mkwst@chromium.org

Comment 3 by sjoer...@gmail.com, Jul 2 2016 

The script I wrote to reproduce this bug is faulty, because each header call overwrites the previous 'Set-Cookie' header. I will try to come up with a better reproduction script.

Comment 4 by sjoer...@gmail.com, Jul 2 2016 

I made a new reproduction script, and it seems the bug is already resolved in the lastest Chrome.

I could reproduce the bug in 52.0.2743.60 (Official Build) beta (64-bit). When prerendering the strict cookie is not sent. Prefetch works as expected.

On 53.0.2783.2 and 54.0.2786.0 it works as expected.
samesite.php
329 bytes View Download

Comment 5 by durga.behera@chromium.org, Jul 4 2016

Cc: mkwst@chromium.org durga.behera@chromium.org
sjoerder@ : Thanks for the report, could you please help providing more descriptive steps to triage from our side.
mkwst@ : cced you as per the above comment #2, please undo if not related to you.

Comment 6 by rnimmagadda@chromium.org, Jul 4 2016

Labels: Needs-Feedback

Comment 7 by sjoer...@gmail.com, Jul 4 2016 

In Chrome 52:

1. Set a cookie with samesite=strict.
2. Prerender a page with <link rel="prerender" href="/somepage">.

Expected: cookie is sent with prerender request.
Actual: cookie is not sent with prerender request.

I verified whether the cookie want sent using an intercepting proxy (Burp), as the prerender request does not show up in the network tab of the developer toolbar.
Project Member

Comment 8 by sheriffbot@chromium.org, Jul 4 2016

Labels: -Needs-Feedback Needs-Review
Owner: rnimmagadda@chromium.org
Thank you for providing more feedback. Adding requester "rnimmagadda@chromium.org" for another review and adding "Needs-Review" label for tracking.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by rnimmagadda@chromium.org, Jul 6 2016

Labels: -Needs-Review
Owner: ----

Comment 10 by bmcquade@chromium.org, Jul 6 2016

Components: -Internals>Network Internals>Network>Cookies

Comment 11 by mkwst@chromium.org, Jul 7 2016

Mergedinto: 619603
Status: Duplicate (was: Unconfirmed)
This seems fixed on trunk; I think it ended up being a duplicate of the bug reported at https://bugs.chromium.org/p/chromium/issues/detail?id=619603.

Sign in to add a comment