SameSite cookies not being sent on Android file download
Reported by
craig.fr...@gmail.com,
Jul 27 2016
|
|||
Issue descriptionSteps to reproduce the problem: 1. On Android, go to https://www.krang.org.uk/misc/sameSiteCookies/ 2. Scroll down to test 6 3. Follow the download link, and note that you don't get a PDF. What is the expected behavior? What went wrong? Two requests are being made to download this file (not good in itself), and the second request does not include the SameSite cookies. Did this work before? N/A Chrome version: 51.0.2704.81 Channel: stable OS Version: 5.1 Flash Version: This is related to Issue 626242 (https://crbug.com/626242). Apache Logs: [2016-07-27 14:49:27] "GET /misc/sameSiteCookies/?output=pdf&disposition=attachment&require=true HTTP/1.1" 200 4754 "https://www.krang.org.uk/misc/sameSiteCookies/" "Mozilla/5.0 (Linux; Android 5.0.1; GT-I9500 Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.81 Mobile Safari/537.36" [2016-07-27 14:49:27] "GET /misc/sameSiteCookies/?output=pdf&disposition=attachment&require=true HTTP/1.1" 200 21 "https://www.krang.org.uk/misc/sameSiteCookies/" "Mozilla/5.0 (Linux; Android 5.0.1; GT-I9500 Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.81 Mobile Safari/537.36"
,
Aug 1 2016
qinmin@ Please take a look
,
Aug 10 2016
Any news on this (it might need to involve Mike West, who I think is on holiday atm)? The reason I ask is because the website I'm working on is using SameSite cookies, and anyone on an Android phone cannot download any files (which require you to be logged in)... and I'm wondering if I should switch off this security feature (maybe by checking the UA string), or if there is a work around (maybe allowing the device to cache the file for a few seconds)?
,
Aug 10 2016
this should have been fixed on trunk when Android DownloadManager is disabled For Chrome 52 Stable, go to chrome://flags and disable system DownloadManager
,
Aug 10 2016
,
Aug 11 2016
I Can't test at the moment, but is the intention for DownloadManager to be disabled for everyone (e.g. Chrome 53)? And that `chrome://flags` is being used as a temporary solution? |
|||
►
Sign in to add a comment |
|||
Comment 1 by rsgav...@chromium.org
, Aug 1 2016Labels: triage-te