Clearing cookies from URL bar doesn't work on HTTPS pages with cert errors
Reported by
andreych...@gmail.com,
Feb 1 2017
|
|||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 Steps to reproduce the problem: 1. Navigate to a server with an expired/invalid SSL certificate that is known to set a cookie (a secure one, only to be sent on HTTPS). 2. Click on the "Secure" word in the URL bar, open the cookies list. 3. Delete the cookies. 4. Reload the page. What is the expected behavior? The secure cookie should have been deleted and not resent to the server. What went wrong? A non-secure cookie may be deleted, but the secure one stays and is resent to the server. Did this work before? N/A Chrome version: 55.0.2883.95 Channel: stable OS Version: OS X 10.12.2 Flash Version: Shockwave Flash 24.0 r0 Deleting the cookie through Settings -> advanced -> Content Settings -> All cookies and site data does work.
,
Feb 2 2017
,
Feb 2 2017
Somehow I didn't observed the behavior as updated above on Mac OS 10.12.2 using the reported version(55.0.2883.95). Tested this on https://expired.badssl.com/ and observed '0 Cookies in Use'. Attached is the screenshot of the same. andreychirikba@: Could you please take a look at the attached screenshot and confirm if anything being missed here. Please check the same on the latest stable(56.0.2924.87) as well and provide any such URL if the issue is still seen.
,
Feb 2 2017
,
Feb 2 2017
Re Comment 3: I think https://expired.badssl.com/ doesn't set any cookie in the first place. The problem actually manifests itself when a server sets a cookie and I then delete it (it doesn't actually get deleted). I am experiencing this on our company dev server. I can provide you with a temporary login to verify this if you give me your contact details (don't want to publish company data).
,
Feb 3 2017
,
Feb 13 2017
Thank you for providing more feedback. Adding requester "ajha@chromium.org" for another review and adding "Needs-Review" label for tracking. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 14 2017
Looks like the strict secure cookie bits and pieces have broken the UI here (we should be displaying/removing all cookies).
,
Mar 13 2017
Cleaning up sheriffbot label "Needs-Review" label as a part of modified "Needs-Feedback" sheriffbot rule. [ref bug for cleanup 684919]
,
Nov 10 2017
,
Feb 18 2018
,
Oct 4
(Unassigning myself, marking untriaged in preparation to retriage with folks who will do a better job taking care of cookies than I've been able to)
,
Oct 8
,
Oct 9
I wasn't able to reproduce the issue. I disabled the ssl warning for https://expired.badssl.com, manually created a cookie in devtools and reenabled the ssl warning in the pageinfo dialog. The cookie is listed in pageinfo and it can be deleted from there as well. Maybe the issue was fixed? Also note that the cookie wouldn't be send to the server if Chrome can't establish a secure connection. |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by nyerramilli@chromium.org
, Feb 1 2017