Service worker mediated fetches don't get same site cookies
Reported by
akh...@dropbox.com,
Oct 4 2016
|
|||
Issue descriptionExample URL: Steps to reproduce the problem: 1. Set a same site cookie in strict mode 2. Install service worker for full origin 3. Make a XHR GET request What is the expected behavior? Same site cookies included in the XHR GET. What went wrong? Same site cookie missing Did this work before? N/A Chrome version: 53.0.2785.124 Channel: n/a OS Version: Flash Version:
,
Oct 4 2016
hmm .. let me look. We are using the sw-toolbox so I thought it would include credentials
,
Oct 4 2016
,
Oct 5 2016
Looks like the bug is on Chrome's side. Test case to reproduce the bug: https://github.com/samertm/test-samesite. Summary of repro: - The test case has a normal cookie, and HTTP only cookie, and a same site cookie set. - The page makes a request for "/test-path", which is not fetched by the service worker. It includes all three cookies. - The page makes a request for "/sw-test-path", which is fetched by the service worker. It doesn't include the same site cookie. I repro'd on Chrome 51, but I would expect it to fail on 53 as well.
,
Oct 5 2016
I couldn't repro on Chrome 55 dev. Chrome 51 is pretty old, can you test on a newer version? httponly_samesite: 'yes' appeared in both cookies w/o service worker and with service worker.
,
Oct 5 2016
yeah I also can't repro in Chrome 55 canary; but I can repro in 53 stable. Wonder if it is in 54 beta.
,
Oct 5 2016
https://codereview.chromium.org/2323143002/, which was back ported to m54, probably fixed this. Although I'm not sure the same site cookie behavior in workers entirely matches the spec yet.
,
Oct 11 2016
I repro'd on 53, and can't repro on 54.0.2840.50 beta. Looks like it's fixed, feel free to close.
,
Oct 11 2016
Okay, let's close that :) |
|||
►
Sign in to add a comment |
|||
Comment 1 by msramek@chromium.org
, Oct 4 2016