When running Granian with HTTP/2 some cookies are missing. I created the following test application:

def app(environ, start_response):
    headers = [
        ('Content-Type', 'text/html'),
        ('Set-Cookie', 'csrftoken=abcdef; expires=Mon, 05 May 2025 22:45:47 GMT; HttpOnly; Max-Age=31449600; Path=/; SameSite=Strict; Secure'),
        ('Set-Cookie', 'sessionid=123456; expires=Mon, 05 May 2025 22:45:47 GMT; HttpOnly; Max-Age=31449600; Path=/; SameSite=Strict; Secure'),
    ]
    try:
        cookies = environ["HTTP_COOKIE"]
    except KeyError:
        cookies = ""

    start_response('200 OK', headers)
    return [f'<html><body>Cookies: {cookies}</body></html>'.encode()]

If I run Granian with HTTP/2 and visis the site with Firefox or Chrome I only see the sessionid cookie, not the csrftoken cookie. With curl it seems to work however. I ran Granian using:

granian --http 2 --ssl-keyfile key.pem --ssl-certificate cert.pem --interface wsgi app:app

If I run it with HTTP/1 it works without problem however:

granian --http 1 --ssl-keyfile key.pem --ssl-certificate cert.pem --interface wsgi app:app

It might be caused by hyperium/hyper#2528. I don't know if the Firefox and Chrome split the cookies and curl does not, but if that is the case it would explain why there is no problem with curl but there is a problem with Firefox and Chrome.

@dekkers no, this is a Granian bug on WSGI protocol, thank you for reporting this