cannot send with some cookies by GET method
WankkoRee opened this issue · comments
if server set cookie 'sameSite' attr to true, it can not be send with by GET.
Could you describe more details?
While executing GET method, the extension navigates the tab to URL directly using Chrome API chrome.tabs.update.
Therefore, I think the behaviour should be same as entering URL in location bar manually.
in server, set attr named 'SameSite' of a cookie to True. like this
reply.setCookie('token', token, {
domain: process.env.SITE_HOST,
path: '/',
secure: process.env.SITE_HTTPS === "true",
httpOnly: true,
maxAge: 86400,
sameSite: true // alternative CSRF protection
})
then in browser, i access a page to get this cookie.
- after that, i send a GET HTTP by hackbar, it can not be send with this cookie.
- but if i just enter the same url in address bar of browser, it can be send with this cookie.
我英語不太好,所以再用國語講一遍。
在伺服器上配置cookie的SameSite屬性為真,比如這樣
reply.setCookie('token', token, {
domain: process.env.SITE_HOST,
path: '/',
secure: process.env.SITE_HTTPS === "true",
httpOnly: true,
maxAge: 86400,
sameSite: true // alternative CSRF protection
})
接著在瀏覽器里訪問網頁得到這個cookie。
- 之後我通過hackbar發送GET請求,這個cookie不會被帶上。
- 但是如果我直接在瀏覽器的地址欄里輸入同樣的url,這個cookie會被帶上。
The following is my server code:
const express = require('express')
const cookieParser = require("cookie-parser");
const app = express()
app.use(cookieParser())
app.get('/', function (req, res) {
res.cookie('foo', 'bar', {
domain: '127.0.0.1',
path: '/',
httpOnly: true,
maxAge: 86400,
sameSite: true
}).send('Cookie received: ' + JSON.stringify(req.cookies))
})
app.listen(4000)And here is test video:
I think it works as expected.
By the way, my Chrome is 91.0.4472.164 because there is a bug in v92, leading to crash if systemd is v249.
thx, I try to use edge 92.0.902.62. there is no problem again.
the browser I use is cent browser 4.3.9.248 with Chromium 86.0.4240.198. i cant confirm whether it’s caused by the browser or other extensions.
thx again!