Created
March 17, 2017 21:45
-
-
Save isaacs/8d957edab609b4d122811ee945fd92fd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const http = require('http') | |
const firstServer = http.createServer((req, res) => { | |
console.log('firstServer request', req.url, req.headers) | |
res.setHeader('set-cookie', 'foo=bar; max-age=10000000; host=localhost:8080; SameSite=Strict') | |
res.setHeader('content-type', 'text/html') | |
res.write('<pre>') | |
res.write(JSON.stringify(req.headers, null, 2) + '\n') | |
if (req.headers.cookie) | |
res.end('<a href="' + secondServerHost + req.url + | |
'">dont click, copy this url to the address bar, '+ | |
'observe cookie vanish</a>\n') | |
else | |
res.end('<a href="' + req.url + | |
'">refresh to see cookie appear</a>\n') | |
}) | |
const secondServer = http.createServer((req, res) => { | |
console.log('secondServer request', req.url, req.headers) | |
res.statusCode = 301 | |
const redir = firstServerHost + req.url | |
res.setHeader('content-type', 'text/html') | |
res.setHeader('location', redir) | |
res.end('<a href="' + redir + '">' + redir + '</a>\n') | |
}) | |
const firstServerHost = 'http://localhost:8080' | |
const secondServerHost = 'http://127.0.0.1:8081' | |
firstServer.listen(8080, _ => { | |
secondServer.listen(8081, _=> { | |
console.log('load in chrome: ' + firstServerHost + '/test') | |
}) | |
}) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Run the script above in Node.js, and then open up
localhost:8080/test
in your browser, and follow the instructions.When typing
example.com
into the url bar, if the response is a http 3xx redirection toothersite.com
, then Chrome will not sendSameSite=strict
cookies toothersite.com
. However, if the user clicks a link or bookmark, or loadsexample.com
in some other way, and it then redirects toothersite.com
, then the cookies forothersite.com
are sent.This is a bug in Chrome.
SameSite=strict
cookies should always be sent for top-level requests to a host (ie, not via link, iframe, img src, etc.), whether the user went there directly, or via a redirect, and whether the redirect came from a link click or from a url bar entry.This is very annoying for sharing short links to logged-in states. If I type
sho.rt/link
in my address bar, and that redirects tohttps://www.my-example-site-with-a-long-name.com/important/logged/in/page
, then the secureSameSite=strict
cookie won't be sent, and I'll instead get a page to log in or register to see the hidden content. (Or just a 404). Reloading, however, causes the content to be loaded (but I may have already been redirected to/signup?done=/important/logged/in/page
.)