New issue
Advanced search Search tips

Issue 920648 link

Starred by 4 users
Status: Assigned
Owner:
jarhar@chromium.org
Cc:
viswa.karala@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

sameSite=strict cookies not sent when requesting TypeScript files from Console

Reported by elliott2...@gmail.com, Jan 10 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Steps to reproduce the problem:
1. Add sameSite=strict cookie 
2. Open a website supporting TypeScript debugging
3. Open chrome console and request TypeScript file

What is the expected behavior?
sameSite=strict (or lax) cookies will be sent

What went wrong?
sameSite=strict or lax cookies not sent in request for TypeScript/.js.map file.

Did this work before? No 

Chrome version: 71.0.3578.98  Channel: stable
OS Version: 10.0
Flash Version:

Comment 1 by viswa.karala@chromium.org, Jan 11

Cc: viswa.karala@chromium.org
Labels: Triaged-ET Needs-Feedback
Thanks for filing the issue!

@Reporter: Could you please provide sample Test File/URL that reproduces the issue which help in further triaging the issue in better way. If possible provide screencast of the issue which help in better understanding.

Thanks!

Comment 2 by phanindra.mandapaka@chromium.org, Jan 12

Labels: Needs-Triage-M71

Comment 3 by br...@distributedmatter.net, Jan 14 

I've noticed a similar behaviour by the Developer Tools in Chrome when it gets the js.map files automatically: it doesn't send all the cookies to the server.

The application I'm using sets two cookies: JSESSIONID and SESSION. The Cookie header sent by a request made normally by the application (whether direct request, img tag or XMLHttpRequest) sends the two cookies like so:

    Cookie: JSESSIONID=abc...; SESSION=xyz...
	
(where "abc..." and "xyz..." are string values approximately 50-characters long).

However, when the Developer Tools make the GET request to ".js.map" files automatically, only the JSESSIONID cookie is sent. The SESSION cookie isn't sent. (A side effect in this case is that the server invalidates the session in this case, which logs out users when simply opening the Dev Tools, or shortly after doing so.)

This problem doesn't happen when making the same GET requests to the ".js.map" resources explicitly, so this seems specific to the Developer Tools.


This is tested using Chrome Version 71.0.3578.98 (Official Build) (64-bit). I've had to debug this server-side, since those requests don't appear in the Network tab of the Dev Tools.


I'm not sure how to trigger these requests explicitly in the Dev Tools, since they happen behind the scenes, but it happens often enough when reloading a page that has .js scripts and potential matching .js.map files, while the Dev Tools are open.

Comment 4 by l...@chromium.org, Jan 18 (5 days ago)

Owner: jarhar@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 5 by elliott2...@gmail.com, Jan 18 (5 days ago) 

Interestingly, getting logged out while opening the devtools due to non-authenticated requests is the same problem we are experiencing.

I tested this and newer versions of IE and Edge behave in the same way as Chrome is behaving. I don’t know if that means the behavior is intentional.

Comment 6 by matthieu...@gmail.com, Today (11 hours ago) 

Same issue here, with plain regular javascript sourcemap files (it does not only happen for TypeScript).

Sign in to add a comment