-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updating/deleting a cookie with different SameSite value #2152
Comments
Hi, Cookies can be thought of as having two types of access permissions, read and write. Some attributes on cookies can block access, only when none of the attributes are blocking access can you read or write to the cookie. To update/delete/overwrite a given cookie you have to have write access permission and then you have to match You mentioned a cookie with Because of the Secondly this cookie has But what if the cookie was So what happens if I change the Let's flesh that example out some more. I start with a cookie: Now I want to modify it, so I run the command whether or not this succeeds depends on the accessibility of cookie Context 1: We're on http://example.com
Context 2: We're on https://example.com
Context 2: We're on https://example.org which is iframing https://example.com (note the .org, that is a different site)
I just tried my example in Chrome 102 and it's working as I detailed. If you find a browser or situation that seems to be wrong I encourage you to file a bug. (Note: Some parts of this were simplified, but hopefully the message is still getting across. Cookies are complicated) |
It sounds like we can close here then. Thanks for filing an issue. |
https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html
I've been reading over steps 17, 18 and 22 of the storage spec to try and figure out whether it actually says the SameSite value must be matched when setting a matching cookie.
If I'm reading it correctly, it should be possible to update a cookie that has
SameSite=none;Secure
with a new cookie that has neither as long as the cookie came from a matching context.But that doesn't seem to be the case: There are a lot of posts online about having to use the same attributes even when you delete a SameSite=none cookie. (Firefox seems to be merging the attributes as far as I can tell, taking SameSite=none from the previous cookie and applying the must-be-secure rule to the new one, but is currently just throwing a warning in the console log.)
If the intent is to require updates and deletions to match the attributes, I can't find it in the spec, and if the intent is to leave it up to the user-agent, I don't see that either.
The text was updated successfully, but these errors were encountered: