Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookies are not set when port differs on the same domain #199

Closed
m4nuC opened this issue Sep 9, 2015 · 7 comments
Closed

Cookies are not set when port differs on the same domain #199

m4nuC opened this issue Sep 9, 2015 · 7 comments

Comments

@m4nuC
Copy link

m4nuC commented Sep 9, 2015

A request from localhost:3000 to localhost:8000 will ignore cookies. Though cookies are supposed to be port agnostics. Is this an implementation issue ?
@dgraham
Copy link
Contributor

dgraham commented Sep 9, 2015

Cookies are not included in the fetch request by default: https://github.com/github/fetch#sending-cookies.

@dgraham dgraham closed this as completed Sep 9, 2015
@m4nuC
Copy link
Author

m4nuC commented Sep 9, 2015

Thanks. It turned out to be a cross domain issue cause by the 'credentials' : 'include' config.

@m4nuC
Copy link
Author

m4nuC commented Sep 10, 2015

Tho that still doesn't explain why different ports are being treated as cors. I shouldn't have to add 'credentials' : 'include' for cookies to work

@dgraham
Copy link
Contributor

dgraham commented Sep 10, 2015

Port number is a component of the same-origin policy.

@m4nuC
Copy link
Author

m4nuC commented Sep 11, 2015

Yea. Got it, thanks

@dgraham dgraham mentioned this issue Nov 5, 2015
Closed
@BrendanFDMoore
Copy link

Sorry to raise this from the dead, but I don't believe that interpretation is correct @dgraham

See this RFC: https://tools.ietf.org/html/rfc6265
and the summary via quoted relevant sections lifted from here: https://stackoverflow.com/questions/1612177/are-http-cookies-port-specific

For historical reasons, cookies contain a number of security and privacy infelicities. For example, a server can indicate that a given cookie is intended for "secure" connections, but the Secure attribute does not provide integrity in the presence of an active network attacker. Similarly, cookies for a given host are shared across all the ports on that host, even though the usual "same-origin
policy" used by web browsers isolates content retrieved via different ports.

8.5. Weak Confidentiality
Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server. If a cookie is writable by a service on one port, the cookie is also writable by a service running on another port of the same server.

From this, I would expect cookies set for example.com:3000 to be sent to example.com:4000 also.

@mislav
Copy link
Contributor

mislav commented Oct 15, 2018
edited
Loading

@BrendanFDMoore Your interpretation of the spec might be absolutely correct. However, our fetch polyfill does not implement anything regarding cookies, and never will. Handling of cookies is either up to the browser's native implementation of fetch (if there is one), or native implementation of XMLHttpRequest (which our polyfill uses). We can't affect anything about how the browser stores or sends cookies.

Repository owner locked as resolved and limited conversation to collaborators Oct 15, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mislav @dgraham @m4nuC @BrendanFDMoore