Bug 232088

Summary: Unable to set Secure cookie for localhost
Product: WebKit Reporter: Raj <rajdeep91>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Major CC: anagstef, andresg_22, beidson, gsnedders, jonkoops, karlcow, me, rik, robertknight, samuel, v, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Safari 15   
Hardware: All   
OS: macOS 11   
See Also: https://github.com/webcompat/web-bugs/issues/142566
https://bugs.webkit.org/show_bug.cgi?id=276313
https://bugs.webkit.org/show_bug.cgi?id=218980
https://bugs.webkit.org/show_bug.cgi?id=218627
https://bugs.webkit.org/show_bug.cgi?id=281149
Attachments:
Description Flags
Http Cookie on Edge vs Safari
none
rendering in safari, firefox, chrome
none
self contained server testcase in python none

Raj
Reported 2021-10-21 09:03:43 PDT
Created attachment 442035 [details] Http Cookie on Edge vs Safari I am using node express server to set a httpOnly cookie on localhost:3000. I can see cookie setting on other browsers but not on Safari. Here is HTML code: <html> <head> <title> CGID Beta </title> <script src="https://assets.adobedtm.com/43cf45b098bd/38a98b49e24d/launch-5d7d0d6eb58d-development.min.js" async></script> </head> <body> <br><br><br> <h1><center>Welcome to CGID beta program</center></h1><br><br><br><br> <h3><center>To set a http only cookie click the below button</center></h3><br><br><br> <center> <form method="post" action="/"> <button type="submit">CLICK ME</button> </form> </center> </body> </html> Here is node server-side code: const express = require("express"); const bodyParser = require("body-parser") const cookieParser = require('cookie-parser'); const { v4: uuidv4 } = require('uuid'); const app = express(); app.use(cookieParser()); app.use(bodyParser.urlencoded({ extended:true })); app.get("/", (req, res) => { res.sendFile(__dirname + "/index.html"); }); app.post("/", function(req, res) { res.cookie('CGID', uuidv4(), { maxAge: 60*60*24*30*13, httpOnly: true, secure: true, sameSite: "lax", domain: 'localhost', path: '/', }); //res.send("<h2>CGID is now set</h2>") }); app.listen(3000, () => { console.log("Application started and Listening on port 3000"); });
Attachments
Http Cookie on Edge vs Safari (309.96 KB, image/png)
2021-10-21 09:03 PDT, Raj 		no flags
Details
rendering in safari, firefox, chrome (129.80 KB, image/png)
2026-01-14 00:39 PST, Karl Dubost 		no flags
Details
self contained server testcase in python (2.56 KB, text/x-python-script)
2026-01-14 00:41 PST, Karl Dubost 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-10-21 09:03:58 PDT
<rdar://problem/84509493>
Radar WebKit Bug Importer
Comment 2 2021-10-21 09:06:49 PDT
<rdar://problem/84509597>
Raj
Comment 3 2021-10-21 09:07:44 PDT
Oops, consider the below line of code uncommented res.send("<h2>CGID is now set</h2>")
Raj
Comment 4 2021-10-21 09:08:16 PDT
Http Cookie on Edge vs Safari I am using node express server to set a httpOnly cookie on localhost:3000. I can see cookie setting on other browsers but not on Safari. Here is HTML code: <html> <head> <title> CGID Beta </title> <script src="https://assets.adobedtm.com/43cf45b098bd/38a98b49e24d/launch-5d7d0d6eb58d-development.min.js" async></script> </head> <body> <br><br><br> <h1><center>Welcome to CGID beta program</center></h1><br><br><br><br> <h3><center>To set a http only cookie click the below button</center></h3><br><br><br> <center> <form method="post" action="/"> <button type="submit">CLICK ME</button> </form> </center> </body> </html> Here is node server-side code: const express = require("express"); const bodyParser = require("body-parser") const cookieParser = require('cookie-parser'); const { v4: uuidv4 } = require('uuid'); const app = express(); app.use(cookieParser()); app.use(bodyParser.urlencoded({ extended:true })); app.get("/", (req, res) => { res.sendFile(__dirname + "/index.html"); }); app.post("/", function(req, res) { res.cookie('CGID', uuidv4(), { maxAge: 60*60*24*30*13, httpOnly: true, secure: true, sameSite: "lax", domain: 'localhost', path: '/', }); //res.send("<h2>CGID is now set</h2>") }); app.listen(3000, () => { console.log("Application started and Listening on port 3000"); });
Raj
Comment 5 2021-10-21 09:08:58 PDT
Http Cookie on Edge vs Safari I am using node express server to set a httpOnly cookie on localhost:3000. I can see cookie setting on other browsers but not on Safari. Here is HTML code: <html> <head> <title> CGID Beta </title> <script src="https://assets.adobedtm.com/43cf45b098bd/38a98b49e24d/launch-5d7d0d6eb58d-development.min.js" async></script> </head> <body> <br><br><br> <h1><center>Welcome to CGID beta program</center></h1><br><br><br><br> <h3><center>To set a http only cookie click the below button</center></h3><br><br><br> <center> <form method="post" action="/"> <button type="submit">CLICK ME</button> </form> </center> </body> </html> Here is node server-side code: const express = require("express"); const bodyParser = require("body-parser") const cookieParser = require('cookie-parser'); const { v4: uuidv4 } = require('uuid'); const app = express(); app.use(cookieParser()); app.use(bodyParser.urlencoded({ extended:true })); app.get("/", (req, res) => { res.sendFile(__dirname + "/index.html"); }); app.post("/", function(req, res) { res.cookie('CGID', uuidv4(), { maxAge: 60*60*24*30*13, httpOnly: true, secure: true, sameSite: "lax", domain: 'localhost', path: '/', }); res.send("<h2>CGID is now set</h2>") }); app.listen(3000, () => { console.log("Application started and Listening on port 3000"); });
John Wilander
Comment 6 2021-10-21 09:40:36 PDT
Thanks for filing. (In reply to Raj from comment #0) > Created attachment 442035 [details] > Http Cookie on Edge vs Safari > > I am using node express server to set a httpOnly cookie on localhost:3000. I > can see cookie setting on other browsers but not on Safari. > > > Here is HTML code: > > <html> > <head> > <title> CGID Beta </title> > <script > src="https://assets.adobedtm.com/43cf45b098bd/38a98b49e24d/launch- > 5d7d0d6eb58d-development.min.js" async></script> > </head> > <body> > <br><br><br> > <h1><center>Welcome to CGID beta > program</center></h1><br><br><br><br> > <h3><center>To set a http only cookie click the below > button</center></h3><br><br><br> > <center> > <form method="post" action="/"> > <button type="submit">CLICK ME</button> > </form> > </center> > </body> > </html> > > > Here is node server-side code: > > const express = require("express"); > const bodyParser = require("body-parser") > const cookieParser = require('cookie-parser'); > const { v4: uuidv4 } = require('uuid'); > > const app = express(); > > app.use(cookieParser()); > > app.use(bodyParser.urlencoded({ > extended:true > })); > > app.get("/", (req, res) => { > res.sendFile(__dirname + "/index.html"); > }); > > app.post("/", function(req, res) { > res.cookie('CGID', uuidv4(), { > maxAge: 60*60*24*30*13, > httpOnly: true, > secure: true, Are you using a self-signed certificate for localhost and serving all of its resources over https? Secure cookies are not accepted from non-secure pages. > sameSite: "lax", > domain: 'localhost', > path: '/', > }); > //res.send("<h2>CGID is now set</h2>") > }); > > app.listen(3000, () => { > console.log("Application started and Listening on port 3000"); > });
Sam Sneddon [:gsnedders]
Comment 7 2021-10-21 17:19:19 PDT
(In reply to John Wilander from comment #6) > Are you using a self-signed certificate for localhost and serving all of its > resources over https? Secure cookies are not accepted from non-secure pages. This is notably different to every other browser where localhost is treated as a secure context; this is likely another dupe of bug 218980 as a result.
Robert Knight
Comment 8 2023-12-13 03:42:25 PST
We got tripped up by this today. Something that makes it extra confusing is that Safari does treat localhost as secure in other respects (eg. `window.isSecureContext`).
Julian
Comment 9 2024-01-25 14:37:32 PST
(In reply to John Wilander from comment #6) Thank you for this extremely helpful clarification: > Are you using a self-signed certificate for localhost and serving all of its > resources over https? Secure cookies are not accepted from non-secure pages. This issue tripped up my team for several hours today, and although the behavior makes sense, but it would be helpful to have more documentation. I would also like to note that chromium and gecko engines have different behavior and accept the cookie. Thanks, Julian
Stefanos
Comment 10 2024-07-01 04:31:41 PDT
(In reply to Robert Knight from comment #8) > We got tripped up by this today. Something that makes it extra confusing is > that Safari does treat localhost as secure in other respects (eg. > `window.isSecureContext`). I agree with this. Is there a reasoning/explanation on why the `window.isSecureContext` returns `true` on `localhost` but then it rejects cookies with the `Secure` attribute? Thanks!
Karl Dubost
Comment 11 2024-10-09 01:39:08 PDT
A very similar report has been created on webcompat.com https://github.com/webcompat/web-bugs/issues/142566 And there are other instances of bugs on bugs.webkit.org which are similar such as Bug 276313
Karl Dubost
Comment 12 2024-10-09 18:28:44 PDT
There are larger intrinsic issues about localhost and secure contexts, including dependencies probably on the OS. The WebKit team is looking at them. And also inconsistencies which need to be solved, see for example Bug 281149
Samuel da Silva
Comment 13 2025-02-24 16:08:32 PST
Wait but is this acknowledged as a bug? Was localhost supposed to be treated as a Secure context and it isn't? Or is it a Mac OS policy and it has to be fixed there? Or is the security policy asinine and this is a WONTFIX? Is there any updates on this?
Viktor Holmberg
Comment 14 2025-12-12 08:12:01 PST
I would also like to know if this is acknowledged as a bug? (I consider it to be)
Karl Dubost
Comment 15 2025-12-15 14:49:27 PST
https://w3c.github.io/webappsec-secure-contexts/#localhost 5.2. localhost Section 6.3 of [RFC6761] lays out the resolution of localhost. and names falling within .localhost. as special, and suggests that local resolvers SHOULD/MAY treat them specially. For better or worse, resolvers often ignore these suggestions, and will send localhost to the network for resolution in a number of circumstances. Given that uncertainty, user agents MAY treat localhost names as having potentially trustworthy origins if and only if they also adhere to the localhost name resolution rules spelled out in [let-localhost-be-localhost] (which boil down to ensuring that localhost never resolves to a non-loopback address).
Viktor Holmberg
Comment 16 2025-12-15 23:38:10 PST
Thanks, that clarifies the spec - so you're saying other aspects need to be fixed first (i.e ensuring that localhost is not resolved to a network location)? From a security standpoint, I'm sure many teams fall back to disabling secure cookies in order to test on localhost, which isn't great.
Anthony Ricaud
Comment 17 2026-01-10 03:52:47 PST
I just ran into the issue today from a Python server and without `HttpOnly` set. Just using `Secure` is enough. Because of that, I'm changing the title to remove those details that are not relevant to the issue.
Karl Dubost
Comment 18 2026-01-14 00:39:42 PST
Created attachment 478007 [details] rendering in safari, firefox, chrome This is a test with Safari, Firefox and Chrome on http://localhost:8000 Using a server doing self.send_response(200) self.send_header('Content-Type', 'text/html') self.send_header('Set-Cookie', 'securecookie=testvalue; Secure; Path=/') self.end_headers()
Karl Dubost
Comment 19 2026-01-14 00:41:43 PST
Created attachment 478008 [details] self contained server testcase in python Start the server with python3 server-securecokie.py Then follow the instructions. Go to http://localhost:8000 In Firefox, Chrome, the cookie is set In Safari, the cookie is not set. Thanks Rik for making the bug even leaner and cleaner. Only Secure attribute matters here.
Jon Koops
Comment 20 2026-01-14 00:59:03 PST
(In reply to Viktor Holmberg from comment #16) > From a security standpoint, I'm sure many teams fall back to disabling > secure cookies in order to test on localhost, which isn't great. This is what my team has had to do in Keycloak, and it gives us a world of pain. See: https://github.com/keycloak/keycloak/blob/cca5ef44fa715a2e39bf21fe9d3de59d6eff004a/services/src/main/java/org/keycloak/utils/SecureContextResolver.java#L44-L53
Note You need to log in before you can comment on or make changes to this bug.