Created
March 17, 2017 21:45
-
-
Save isaacs/8d957edab609b4d122811ee945fd92fd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const http = require('http') | |
| const firstServer = http.createServer((req, res) => { | |
| console.log('firstServer request', req.url, req.headers) | |
| res.setHeader('set-cookie', 'foo=bar; max-age=10000000; host=localhost:8080; SameSite=Strict') | |
| res.setHeader('content-type', 'text/html') | |
| res.write('<pre>') | |
| res.write(JSON.stringify(req.headers, null, 2) + '\n') | |
| if (req.headers.cookie) | |
| res.end('<a href="' + secondServerHost + req.url + | |
| '">dont click, copy this url to the address bar, '+ | |
| 'observe cookie vanish</a>\n') | |
| else | |
| res.end('<a href="' + req.url + | |
| '">refresh to see cookie appear</a>\n') | |
| }) | |
| const secondServer = http.createServer((req, res) => { | |
| console.log('secondServer request', req.url, req.headers) | |
| res.statusCode = 301 | |
| const redir = firstServerHost + req.url | |
| res.setHeader('content-type', 'text/html') | |
| res.setHeader('location', redir) | |
| res.end('<a href="' + redir + '">' + redir + '</a>\n') | |
| }) | |
| const firstServerHost = 'http://localhost:8080' | |
| const secondServerHost = 'http://127.0.0.1:8081' | |
| firstServer.listen(8080, _ => { | |
| secondServer.listen(8081, _=> { | |
| console.log('load in chrome: ' + firstServerHost + '/test') | |
| }) | |
| }) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Run the script above in Node.js, and then open up
localhost:8080/testin your browser, and follow the instructions.When typing
example.cominto the url bar, if the response is a http 3xx redirection toothersite.com, then Chrome will not sendSameSite=strictcookies toothersite.com. However, if the user clicks a link or bookmark, or loadsexample.comin some other way, and it then redirects toothersite.com, then the cookies forothersite.comare sent.This is a bug in Chrome.
SameSite=strictcookies should always be sent for top-level requests to a host (ie, not via link, iframe, img src, etc.), whether the user went there directly, or via a redirect, and whether the redirect came from a link click or from a url bar entry.This is very annoying for sharing short links to logged-in states. If I type
sho.rt/linkin my address bar, and that redirects tohttps://www.my-example-site-with-a-long-name.com/important/logged/in/page, then the secureSameSite=strictcookie won't be sent, and I'll instead get a page to log in or register to see the hidden content. (Or just a 404). Reloading, however, causes the content to be loaded (but I may have already been redirected to/signup?done=/important/logged/in/page.)