[Webkit-unassigned] [Bug 232088] Unable to set httpOnly cookie for localhost in Safari from Node JS

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 21 09:40:36 PDT 2021


https://bugs.webkit.org/show_bug.cgi?id=232088

--- Comment #6 from John Wilander <wilander at apple.com> ---
Thanks for filing.

(In reply to Raj from comment #0)
> Created attachment 442035 [details]
> Http Cookie on Edge vs Safari
> 
> I am using node express server to set a httpOnly cookie on localhost:3000. I
> can see cookie setting on other browsers but not on Safari. 
> 
> 
> Here is HTML code: 
> 
> <html>
>     <head>
>         <title> CGID Beta </title>
>         <script
> src="https://assets.adobedtm.com/43cf45b098bd/38a98b49e24d/launch-
> 5d7d0d6eb58d-development.min.js" async></script>
>     </head>
>     <body>
>         <br><br><br>
>         <h1><center>Welcome to CGID beta
> program</center></h1><br><br><br><br>
>         <h3><center>To set a http only cookie click the below
> button</center></h3><br><br><br>
>         <center>
>             <form method="post" action="/">
>                 <button type="submit">CLICK ME</button>
>           </form>
>         </center>
>     </body>
> </html>
> 
> 
> Here is node server-side code:
> 
> const express = require("express");
> const bodyParser = require("body-parser")
> const cookieParser = require('cookie-parser');
> const { v4: uuidv4 } = require('uuid');
> 
> const app = express();
> 
> app.use(cookieParser());
> 
> app.use(bodyParser.urlencoded({
>     extended:true
> }));
> 
> app.get("/", (req, res) => {
>   res.sendFile(__dirname + "/index.html");
> });
>   
> app.post("/", function(req, res) {
>     res.cookie('CGID', uuidv4(), {
>         maxAge: 60*60*24*30*13, 
>         httpOnly: true, 
>         secure: true,

Are you using a self-signed certificate for localhost and serving all of its resources over https? Secure cookies are not accepted from non-secure pages.

>         sameSite: "lax",
>         domain: 'localhost',
>         path: '/',
>     }); 
>     //res.send("<h2>CGID is now set</h2>")
> });
> 
> app.listen(3000, () => {
>     console.log("Application started and Listening on port 3000");
>   });

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211021/8df9c780/attachment.htm>


More information about the webkit-unassigned mailing list