New issue
Advanced search Search tips

Issue 632004 link

Starred by 3 users
Status: Fixed
Owner:
qin...@chromium.org
Closed: Aug 2016
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug



Sign in to add a comment

SameSite cookies not being sent on Android file download

Reported by craig.fr...@gmail.com, Jul 27 2016 
Steps to reproduce the problem:
1. On Android, go to https://www.krang.org.uk/misc/sameSiteCookies/
2. Scroll down to test 6
3. Follow the download link, and note that you don't get a PDF.

What is the expected behavior?

What went wrong?
Two requests are being made to download this file (not good in itself), and the second request does not include the SameSite cookies.

Did this work before? N/A 

Chrome version: 51.0.2704.81  Channel: stable
OS Version: 5.1
Flash Version: 

This is related to Issue 626242 (https://crbug.com/626242).

Apache Logs:

[2016-07-27 14:49:27] "GET /misc/sameSiteCookies/?output=pdf&disposition=attachment&require=true HTTP/1.1" 200 4754 "https://www.krang.org.uk/misc/sameSiteCookies/" "Mozilla/5.0 (Linux; Android 5.0.1; GT-I9500 Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.81 Mobile Safari/537.36"

[2016-07-27 14:49:27] "GET /misc/sameSiteCookies/?output=pdf&disposition=attachment&require=true HTTP/1.1" 200 21 "https://www.krang.org.uk/misc/sameSiteCookies/" "Mozilla/5.0 (Linux; Android 5.0.1; GT-I9500 Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.81 Mobile Safari/537.36"

Comment 1 by rsgav...@chromium.org, Aug 1 2016

Cc: krav...@chromium.org
Labels: triage-te

Comment 2 by krav...@chromium.org, Aug 1 2016

Cc: -krav...@chromium.org
Labels: -triage-te M-52
Owner: qin...@chromium.org
Status: Assigned (was: Unconfirmed)
qinmin@ Please take a look

Comment 3 by craig.fr...@gmail.com, Aug 10 2016 

Any news on this (it might need to involve Mike West, who I think is on holiday atm)?

The reason I ask is because the website I'm working on is using SameSite cookies, and anyone on an Android phone cannot download any files (which require you to be logged in)... and I'm wondering if I should switch off this security feature (maybe by checking the UA string), or if there is a work around (maybe allowing the device to cache the file for a few seconds)?

Comment 4 by qin...@chromium.org, Aug 10 2016 

this should have been fixed on trunk when Android DownloadManager is disabled

For Chrome 52 Stable, go to chrome://flags and disable system DownloadManager

Comment 5 by qin...@chromium.org, Aug 10 2016

Status: Fixed (was: Assigned)

Comment 6 by craig.fr...@gmail.com, Aug 11 2016 

I Can't test at the moment, but is the intention for DownloadManager to be disabled for everyone (e.g. Chrome 53)?

And that `chrome://flags` is being used as a temporary solution?

Sign in to add a comment