Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upFetches are sending cookies they shouldn't #24911
Comments
pshaughn
changed the title
|
The test names may be scarier than the actual outcome. If I remove earlier tests from the file, these don't fail; it looks like the problem is a failure to remove cookies that should be removed (which is still bad), not an actual cross-origin leak. |
|
The cookie deletion operation here is being handled by asking the server to resend the same Set-Cookie but with max-age=0; that should then mean that it's expired when we get to the next test, but possibly we're (1) not checking expiry; (2) checking expiry within the margin of timing-granularity so it looks like 0 time has passed and we're not expired yet. |
|
I think we're supposed to be expiring cookies during CookieStorage::cookies_for_url and not just during CookieStorage::push; if we only do it during push, then a cookie could hang around for an arbitrarily long time if we don't see another SetCookie header. |
WPT fetch/api/cors/cors-cookies is correctly preventing two remote origins from seeing each others' cookies, but the local origin is seeing a remote origin's cookies and vice versa.