A cookie has been set with the SameSite=Strict attribute. When Javascript tries to read the cookie before making an XHR request the cookie seem to be unavailable. But the developer tools show the cookie exists. This problem is happening only in the recent version of Firefox. Not sure if I am missing anything. The domain and the path are set right on the cookie.
Asked
Active
Viewed 3,861 times
7
-
I experience the same thing. It works if I set samesite=lax on the cookie. Then I can read it from js. But that is not really what I want. samesite should not work like this i think. – doorstuck Jul 25 '18 at 08:25
-
1I created this: https://bugzilla.mozilla.org/show_bug.cgi?id=1478280 to see what they say about it. I cannot figure out why it behaves like this. Note it works if I refresh the page after the XHR request has been done. – doorstuck Jul 25 '18 at 09:52
-
1I can confirm that Firefox 63, when the domain is other than `localhost`, does not allow JavaScript to read a cookie received with `SameSite=strict`. Chrome 70 work fine. – Kos Prov Nov 26 '18 at 00:21
-
... and this only happens when I navigate to the page using a link. If I open a new tab and enter the address, it works. Weird stuff... – Kos Prov Nov 26 '18 at 07:49
2 Answers
4
Apparently, it depends on how you get to the page that performs the XHR request. If you get there by clicking on a link on another website (say, following a link on your webmail client), the Strict cookies will not be available, even in subsequent XHR requests! This behaviour seems to be different in Firefox than in other browsers.
Some more info you may find here: https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/
Mladen Jablanović
- 43,461
- 10
- 90
- 113
0
I still don't know why, I think it about the firefox behavior, I fixed by using location.replace("") to reload page, but you can also use "lax" or "none" to fix that.
