Cookie with SameSite=lax option not sent when doing right click "Save As..."
Reported by
rob.dup...@freeagent.com,
Mar 7 2018
|
||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36 Steps to reproduce the problem: 1. Go to a page which sets a 'Cache-Control: no-store' header and also sets a cookie with the SameSite=lax option. 2. Do right click "Save As..." 3. The page is re-requested but the cookie isn't sent. What is the expected behavior? The cookie should be sent along with the request since the "Save As..." is requesting the page from the same site. Another option would be for the existing html to be saved without making another request for no-store responses. This has a number of benefits (especially for actions which aren't idempotent) and is what safari does (but this may not be in the spirit of the no-store directive). In general, I think requests originating with "Save As..." should be as similar as possible to those made on the initial page view. I also notice that requests initiated as a result of "Save As..." do not appear in the network inspector which makes this difficult to debug. What went wrong? Instead of saving the page you're currently viewing, any content dependant on the cookie is shown incorrectly. For apps with session cookies, this is very undesirable - the login page is saved, rather than the page the user is viewing. Did this work before? N/A Chrome version: 65.0.3325.146 Channel: stable OS Version: OS X 10.12.6 Flash Version: Might be the same as https://bugs.chromium.org/p/chromium/issues/detail?id=704123
,
Mar 7 2018
,
Mar 7 2018
,
Mar 8 2018
@Reporter: Please provide sample URL or test file to test this issue. This would help in further debugging of the issue. cc'ing @mkwst from 704123 for further inputs on this. Thanks!
,
Mar 8 2018
I don't have time to set up a server with a test page on it with the correct headers I'm afraid. One additional thing to note is that this issue only occurs with the "Web Page, HTML Only" mode. If you choose "Web Page, Complete" no new request is made to the server. This to me says the approach of just saving the raw HTML without making an additional request would probably make the most sense and would make the 2 "Save As" modes more consistent.
,
Mar 8 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 9 2018
Tried testing the issue on mac 10.12.6 using chrome reported version #65.0.3325.146 and latest canary #67.0.3365.0. Attached a screen cast for reference. Following are the steps followed to reproduce the issue. ------------ 1. Saved a webpage with the "Web Page, HTML Only" mode. 2. Opened the .htm file in chrome. 3. Observed that 0 cookies were sent when clicked on the secure button in the omnibox. Note: Same behavior is observed in M60 also. reporter@ - Could you please check the attached screen cast and please let us know if it is the issue you are talking about. Thanks...!!
,
Mar 9 2018
I'm not sure what cookies you were expecting to be sent in this case? To my knowledge cookies are an http only mechanism and not supported when using file:// urls. In any case before a cookie is sent, it needs to be set by something which you're not doing in this video, so there's no way any cookies would be sent in this case. I think it would be helpful for this to be investigated by someone who has experience with cookies and cache control settings. The approximate steps to repro are as follows: - Set up a remote web server with 2 pages: 1 A page which sets a cookie with samesite=true 2 A page with some server side behaviour which depends on that cookie (eg showing "cookie present" on the page if it is present) and which sets the 'Cache-Control: no-store' header - Browse to webpage 1 and check that the cookie has been set - Browse to webpage 2 and check that the cookie has been sent to this page (ie "cookie present" is shown) - Right click save as Web Page, HTML Only on page 2 - "cookie present" won't be saved
,
Mar 9 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 13 2018
This issue seems to be out of ET scope, to test this issue remote web service should be established. Hence adding TE-NeedsTriageHelp label. Could someone from the Internals>Network>Cookies team have a look into this issue. Thanks!
,
Mar 14 2018
I will remove the SecurityFeature component as I believe this is entirely related to the interaction between cookies and savepage
,
Mar 14 2018
Removing the cookies label - happy to discuss cookies with the SavePage folks, but the cookie code doesn't know what SavePage is, and it's up to the consumer to correctly configure the network requests they make. |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by elawrence@chromium.org
, Mar 7 2018Components: Blink>SecurityFeature
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug