Cookie Store API can read cookies set by document.cookie but not delete or modify them (if the cookie has a path) #244
Comments
|
The appending of |
|
@johannhof could you maybe get this prioritized? Thanks! |
|
@DCtheTall was going take a look, I think |
|
@johannhof @annevk I was able to reproduce this on Chromium fairly easily following the instructions from @RupinMittal I have assigned myself https://crbug.com/402779102 to track patching this in Chromium |
aarongable
pushed a commit
to chromium/chromium
that referenced
this issue
May 15, 2025
Remove this behavior for better interoperability with document.cookie and the Set-Cookie header. This logic was added in https://chromium-review.googlesource.com/c/chromium/src/+/2131031 but it is unclear why that was done (per WICG/cookie-store#244). This change additionally updates the set/delete test cleanup methods to use the `Set-Cookie` header instead of `cookieStore.delete` to delete cookies to avoid a dependency on the API being tested. Bug: 402779102 Change-Id: I50fea05101c839f55736e7f3c958c919dd119f27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6520094 Auto-Submit: Anusha Muley <[email protected]> Reviewed-by: Chris Fredrickson <[email protected]> Reviewed-by: Dylan Cutler <[email protected]> Commit-Queue: Dylan Cutler <[email protected]> Commit-Queue: Anusha Muley <[email protected]> Cr-Commit-Position: refs/heads/main@{#1460844}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
May 15, 2025
Remove this behavior for better interoperability with document.cookie and the Set-Cookie header. This logic was added in https://chromium-review.googlesource.com/c/chromium/src/+/2131031 but it is unclear why that was done (per WICG/cookie-store#244). This change additionally updates the set/delete test cleanup methods to use the `Set-Cookie` header instead of `cookieStore.delete` to delete cookies to avoid a dependency on the API being tested. Bug: 402779102 Change-Id: I50fea05101c839f55736e7f3c958c919dd119f27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6520094 Auto-Submit: Anusha Muley <[email protected]> Reviewed-by: Chris Fredrickson <[email protected]> Reviewed-by: Dylan Cutler <[email protected]> Commit-Queue: Dylan Cutler <[email protected]> Commit-Queue: Anusha Muley <[email protected]> Cr-Commit-Position: refs/heads/main@{#1460844}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
May 15, 2025
Remove this behavior for better interoperability with document.cookie and the Set-Cookie header. This logic was added in https://chromium-review.googlesource.com/c/chromium/src/+/2131031 but it is unclear why that was done (per WICG/cookie-store#244). This change additionally updates the set/delete test cleanup methods to use the `Set-Cookie` header instead of `cookieStore.delete` to delete cookies to avoid a dependency on the API being tested. Bug: 402779102 Change-Id: I50fea05101c839f55736e7f3c958c919dd119f27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6520094 Auto-Submit: Anusha Muley <[email protected]> Reviewed-by: Chris Fredrickson <[email protected]> Reviewed-by: Dylan Cutler <[email protected]> Commit-Queue: Dylan Cutler <[email protected]> Commit-Queue: Anusha Muley <[email protected]> Cr-Commit-Position: refs/heads/main@{#1460844}
lando-prod-mozilla bot
pushed a commit
to mozilla-firefox/firefox
that referenced
this issue
May 22, 2025
…" to the path attribute, Automatic update from web-platform-tests Update cookieStore WPTs to not append "/" to the path attribute Remove this behavior for better interoperability with document.cookie and the Set-Cookie header. This logic was added in https://chromium-review.googlesource.com/c/chromium/src/+/2131031 but it is unclear why that was done (per WICG/cookie-store#244). This change additionally updates the set/delete test cleanup methods to use the `Set-Cookie` header instead of `cookieStore.delete` to delete cookies to avoid a dependency on the API being tested. Bug: 402779102 Change-Id: I50fea05101c839f55736e7f3c958c919dd119f27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6520094 Auto-Submit: Anusha Muley <[email protected]> Reviewed-by: Chris Fredrickson <[email protected]> Reviewed-by: Dylan Cutler <[email protected]> Commit-Queue: Dylan Cutler <[email protected]> Commit-Queue: Anusha Muley <[email protected]> Cr-Commit-Position: refs/heads/main@{#1460844} -- wpt-commits: 40130390ab10d1a05a1b8a2e964e016e2ae57a9b wpt-pr: 52572 Differential Revision: https://phabricator.services.mozilla.com/D250640
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
May 22, 2025
…" to the path attribute, Automatic update from web-platform-tests Update cookieStore WPTs to not append "/" to the path attribute Remove this behavior for better interoperability with document.cookie and the Set-Cookie header. This logic was added in https://chromium-review.googlesource.com/c/chromium/src/+/2131031 but it is unclear why that was done (per WICG/cookie-store#244). This change additionally updates the set/delete test cleanup methods to use the `Set-Cookie` header instead of `cookieStore.delete` to delete cookies to avoid a dependency on the API being tested. Bug: 402779102 Change-Id: I50fea05101c839f55736e7f3c958c919dd119f27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6520094 Auto-Submit: Anusha Muley <[email protected]> Reviewed-by: Chris Fredrickson <[email protected]> Reviewed-by: Dylan Cutler <[email protected]> Commit-Queue: Dylan Cutler <[email protected]> Commit-Queue: Anusha Muley <[email protected]> Cr-Commit-Position: refs/heads/main@{#1460844} -- wpt-commits: 40130390ab10d1a05a1b8a2e964e016e2ae57a9b wpt-pr: 52572 Differential Revision: https://phabricator.services.mozilla.com/D250640
i3roly
pushed a commit
to i3roly/firefox-dynasty
that referenced
this issue
May 24, 2025
…" to the path attribute, Automatic update from web-platform-tests Update cookieStore WPTs to not append "/" to the path attribute Remove this behavior for better interoperability with document.cookie and the Set-Cookie header. This logic was added in https://chromium-review.googlesource.com/c/chromium/src/+/2131031 but it is unclear why that was done (per WICG/cookie-store#244). This change additionally updates the set/delete test cleanup methods to use the `Set-Cookie` header instead of `cookieStore.delete` to delete cookies to avoid a dependency on the API being tested. Bug: 402779102 Change-Id: I50fea05101c839f55736e7f3c958c919dd119f27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6520094 Auto-Submit: Anusha Muley <[email protected]> Reviewed-by: Chris Fredrickson <[email protected]> Reviewed-by: Dylan Cutler <[email protected]> Commit-Queue: Dylan Cutler <[email protected]> Commit-Queue: Anusha Muley <[email protected]> Cr-Commit-Position: refs/heads/main@{#1460844} -- wpt-commits: 40130390ab10d1a05a1b8a2e964e016e2ae57a9b wpt-pr: 52572 Differential Revision: https://phabricator.services.mozilla.com/D250640
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified-and-comments-removed
that referenced
this issue
May 28, 2025
…" to the path attribute, Automatic update from web-platform-tests Update cookieStore WPTs to not append "/" to the path attribute Remove this behavior for better interoperability with document.cookie and the Set-Cookie header. This logic was added in https://chromium-review.googlesource.com/c/chromium/src/+/2131031 but it is unclear why that was done (per WICG/cookie-store#244). This change additionally updates the set/delete test cleanup methods to use the `Set-Cookie` header instead of `cookieStore.delete` to delete cookies to avoid a dependency on the API being tested. Bug: 402779102 Change-Id: I50fea05101c839f55736e7f3c958c919dd119f27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6520094 Auto-Submit: Anusha Muley <anushamuleygoogle.com> Reviewed-by: Chris Fredrickson <cfredricchromium.org> Reviewed-by: Dylan Cutler <dylancutlergoogle.com> Commit-Queue: Dylan Cutler <dylancutlergoogle.com> Commit-Queue: Anusha Muley <anushamuleygoogle.com> Cr-Commit-Position: refs/heads/main{#1460844} -- wpt-commits: 40130390ab10d1a05a1b8a2e964e016e2ae57a9b wpt-pr: 52572 Differential Revision: https://phabricator.services.mozilla.com/D250640 UltraBlame original commit: 94e22862253199ea7cdc78934d7736dabd276f79
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-comments-removed
that referenced
this issue
May 28, 2025
…" to the path attribute, Automatic update from web-platform-tests Update cookieStore WPTs to not append "/" to the path attribute Remove this behavior for better interoperability with document.cookie and the Set-Cookie header. This logic was added in https://chromium-review.googlesource.com/c/chromium/src/+/2131031 but it is unclear why that was done (per WICG/cookie-store#244). This change additionally updates the set/delete test cleanup methods to use the `Set-Cookie` header instead of `cookieStore.delete` to delete cookies to avoid a dependency on the API being tested. Bug: 402779102 Change-Id: I50fea05101c839f55736e7f3c958c919dd119f27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6520094 Auto-Submit: Anusha Muley <anushamuleygoogle.com> Reviewed-by: Chris Fredrickson <cfredricchromium.org> Reviewed-by: Dylan Cutler <dylancutlergoogle.com> Commit-Queue: Dylan Cutler <dylancutlergoogle.com> Commit-Queue: Anusha Muley <anushamuleygoogle.com> Cr-Commit-Position: refs/heads/main{#1460844} -- wpt-commits: 40130390ab10d1a05a1b8a2e964e016e2ae57a9b wpt-pr: 52572 Differential Revision: https://phabricator.services.mozilla.com/D250640 UltraBlame original commit: 94e22862253199ea7cdc78934d7736dabd276f79
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this issue
May 28, 2025
…" to the path attribute, Automatic update from web-platform-tests Update cookieStore WPTs to not append "/" to the path attribute Remove this behavior for better interoperability with document.cookie and the Set-Cookie header. This logic was added in https://chromium-review.googlesource.com/c/chromium/src/+/2131031 but it is unclear why that was done (per WICG/cookie-store#244). This change additionally updates the set/delete test cleanup methods to use the `Set-Cookie` header instead of `cookieStore.delete` to delete cookies to avoid a dependency on the API being tested. Bug: 402779102 Change-Id: I50fea05101c839f55736e7f3c958c919dd119f27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6520094 Auto-Submit: Anusha Muley <anushamuleygoogle.com> Reviewed-by: Chris Fredrickson <cfredricchromium.org> Reviewed-by: Dylan Cutler <dylancutlergoogle.com> Commit-Queue: Dylan Cutler <dylancutlergoogle.com> Commit-Queue: Anusha Muley <anushamuleygoogle.com> Cr-Commit-Position: refs/heads/main{#1460844} -- wpt-commits: 40130390ab10d1a05a1b8a2e964e016e2ae57a9b wpt-pr: 52572 Differential Revision: https://phabricator.services.mozilla.com/D250640 UltraBlame original commit: 94e22862253199ea7cdc78934d7736dabd276f79
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
The WPT tests for the Cookie Store API check that the API is able to read cookies set by document.cookie (and vice versa). This seems to imply that we want the API and document.cookie to be in sync and provide the same results--as in, you can use either to accomplish the same result.
But currently, based on the instructions in the spec, the API cannot delete or modify cookies that were set by document.cookie if those cookies have a path. (This is the behavior on both Safari and Chrome). The issue is this:
When document.cookie sets a cookie, it does not append a "/" to the end of the path. But the Cookie Store API spec says that it must append a "/" to the end of the path if one is not already there (step 12 of https://wicg.github.io/cookie-store/#set-a-cookie). If two cookies have the same exact properties (name, value, etc...), but the path's differ by an ending "/", they are considered two different cookies.
For example, on a URL with a path, like https://www.foo.com/bar, we see:
document.cookie="cookieName=cookieValue";will set a cookie with path"/bar"await cookieStore.delete({ name:'cookieName', path:'/bar' });will attempt to delete a cookie with path"/bar/"There is no such cookie and so:
await cookieStore.getAll();will show the cookie set by document.cookieDo we think the spec should be modified to not append an ending "/" so that document.cookie and this API can be fully in sync?
The text was updated successfully, but these errors were encountered: