Skip to content

Doc: failed CORS fetch with credentials should ignore Set-Cookie response header #855

@Osintopsec

Description

@Osintopsec

The docs example at https://fetch.spec.whatwg.org/commit-snapshots/c6b3a750f811cb4f628def0313ac317d9dcec88a/#example-cors-with-credentials states that:

"If the response does not include those two headers with those values, the failure callback will be invoked and any Set-Cookie response headers will end up being ignored."

Tested the example on OS X with:

Chrome Version 71.0.3578.98 (Official Build) (64-bit)
Firefox Version 64.0 (64-bit)
Safari Version 12.0.2 (14606.3.4)

and with:

fetch("https://abc.xyz/cors-testing/cors", {credentials: "include"});
fetch("https://abc.xyz/cors-testing/cors", {credentials: "include", method: "POST"});

and found inconsistency on the way the spec is implemented on the browsers. When a simple (GET, POST, no special request headers) CORS request with credentials (cookies) fails due to not receiving any CORS headers from the server, Chrome and Firefox go ahead and accept the Set-Cookie response header from the server and sets the cookie to the browser. At the same time Safari ignores the Set-Cookie response header and does not set the cookie. (EDIT: for future reference, this was false-positive. Safari does set cookies before handling CORS if 3rd-party cookies are enabled.)

My question is: which way it should be? On a failing simple request, should the Set-Cookie response header be accepted or should it be ignored by the browser?

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions