Cookies with Same Site Lax or Strict is not passed on same-site requests initiated from an anchor tag with the download attribute.
Reported by
gustavni...@gmail.com,
Oct 26 2016
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36 Steps to reproduce the problem: 1. You have a cookie that holds an auth token with a Same Site value of "Lax" (or "Strict). 2. On the website, you click a link that will download a resource. (<a href="foo.txt" download>Click here!</a>) What is the expected behavior? A request for foo.txt is sent with the cookie in the headers, as the resource that is requested to be downloaded is hosted on the same site. What went wrong? The cookie is not included in the request for foo.txt. Did this work before? N/A Does this work in other browsers? N/A Chrome version: 54.0.2840.71 Channel: stable OS Version: Ubuntu 16.04 Flash Version: Shockwave Flash 23.0 r0 I created a small node.js server that will illustrate the problem, comparing different values of Same Site on cookies and a tags with/without the download attribute. https://github.com/gustavnikolaj/same-site-and-download-attribute
,
Mar 17 2017
,
Mar 17 2017
This is an olrder issue, but I assume it still repros, unless the downloads code has been modified to set both first_party_for_cookies and initiator for the request.
,
Mar 17 2017
Yes, still reproducible in Chrome 56.0.2924.87 on Linux
,
Mar 20 2017
[mkwst]: Looks like initiator is being set from the downloads code (https://cs.chromium.org/chromium/src/content/browser/download/download_request_core.cc?gsn=CreateRequestOnIOThread&l=220), so I'm not sure what's happening.
,
Apr 19 2017
Not sure why the Needs-Feedback label is still there. The server code in the github repo referenced by the OP clearly demonstrates the issue. Is it really necessary to put it online at a public url?
,
Apr 20 2017
I can't reproduce this. I just replaced the body of https://www.google.com with '<a download href="/">foo</a>', and we correctly decide to include same-site cookies (Strict and Lax) in the request. (I'm not going to download and install node js binaries or run the above script on my corp PC).
,
Apr 21 2017
I have deployed it here: https://samesitelax-cookie-sunbokbslb.now.sh/ It's still reproducible in at least version 54, 55, and 56, but it is fixed in version 57.
,
Apr 21 2017
Thank you for providing more feedback. Adding requester "krajshree@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 21 2017
Thanks,for the help, Gustav! The fact it's working in Chrome 57 would explain why the code looked correct, and why I couldn't repro locally. Given that M57 has been on stable channel for about 6 weeks, and M58 is coming out soon, I'm going to go ahead and archive this issue, since it looks to be fixed. |
||||
►
Sign in to add a comment |
||||
Comment 1 by krajshree@chromium.org
, Dec 29 2016Labels: Needs-Feedback