Same-site (lax) cookies are being stripped from requests when using request interception.
Reported by
halleniu...@gmail.com,
Apr 12 2018
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Steps to reproduce the problem: 1. Interact with Chrome headless using the debug protocol and setup request interception using https://chromedevtools.github.io/devtools-protocol/tot/Network#method-setRequestInterception and https://chromedevtools.github.io/devtools-protocol/tot/Network#method-continueInterceptedRequest 2. Navigate to https://same-site.fredrik-almroth.se/ 3. Click the submit button. What is the expected behavior? The cookie called "c" to be part of the POST request and the PoC script to respond with "Cookie included in post" What went wrong? The cookie is being stripped from the POST request, presumable because the request is considered to be from a different origin as it's being intercepted while in transit. Did this work before? N/A Does this work in other browsers? N/A Chrome version: 65.0.3325.181 Channel: stable OS Version: Flash Version: Shockwave Flash 29.0 r0 I also tested this in "Google Chrome 67.0.3386.1 dev" without any luck. I realize that request interception is currently flagged as experimental but figured it wouldn't hurt to report bugs for it regardless.
,
Apr 12 2018
,
Apr 13 2018
Tested the issue on chrome reported version 65.0.3325.181 using Ubuntu 14.04 with steps mentioned below: 1) Launched chrome reported version and navigated to URL: https://same-site.fredrik-almroth.se/ 2) Clicked on "submit" button, able to see the response as "Cookie included in post" Note: As mentioned in steps to reproduce the problem in comment# 0, we are not sure about the step-1, how to proceed on it. @Reporter: Please find the attached screen cast for your reference and provide your feedback on it which help in further triaging it. If possible could you please provide screencast of the issue which help in better understanding. Thanks!
,
Apr 13 2018
Hello, thanks for taking a look at this issue. It appears like I did a really poor job explaining it so I'll make another attempt. The problem does not show up when usual "regular" chrome to browse to the example I provided before, it only appears when request-interception is enabled. I've attached two simple nodejs scripts (sorry for the code quality, nodejs is not my primary language) that can be used to reproduce this issue. I also included a video of me running the scripts. The first script (without-inception.js) will go to https://same-site.fredrik-almroth.se/ using headless chrome controlled using the devtools protocol and then click the submit-button using javascript. This script is excepted to return with a successful result where the cookie is included in the following POST request generated by the clicking submit. The second script is the same as the first one but with request-interception added. Meaning the script will have the option of blocking requests if it chooses to, in my example I always let the request execute so I shouldn't expect chrome to behave differently when interacting with the site. Unfortunately that's not the case and the script will return "Failure! Same-site cookies was NOT included in POST request" meaning that chrome stripped away the cookie. I should add that I do not believe this to be a problem with the lib I'm using to interact with Chrome as we've tested multiple libs with the same result.
,
Apr 13 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 16 2018
,
May 3 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7362dcafc243915f66561f51ae91b527a1e38b97 commit 7362dcafc243915f66561f51ae91b527a1e38b97 Author: Andrey Kosyakov <caseq@chromium.org> Date: Thu May 03 00:55:33 2018 DevTools: fix URLREquestJob-based interception to not lose samesite cookies Bug: 832045 Change-Id: I30edba5188f28a67d20de4dbfe75cc2e419c107f Reviewed-on: https://chromium-review.googlesource.com/1040664 Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Commit-Queue: Andrey Kosyakov <caseq@chromium.org> Cr-Commit-Position: refs/heads/master@{#555635} [modify] https://crrev.com/7362dcafc243915f66561f51ae91b527a1e38b97/content/browser/devtools/devtools_url_interceptor_request_job.cc [add] https://crrev.com/7362dcafc243915f66561f51ae91b527a1e38b97/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/interception-cookie-post-expected.txt [add] https://crrev.com/7362dcafc243915f66561f51ae91b527a1e38b97/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/interception-cookie-post.js [add] https://crrev.com/7362dcafc243915f66561f51ae91b527a1e38b97/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/resources/cookie-same-site.pl
,
May 4 2018
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ricea@chromium.org
, Apr 12 2018