Closed Bug 1061610 Opened 10 years ago Closed 8 years ago

Access-Control-Allow-Credentials: true not working.

Categories

(Core :: Networking: Cookies, defect)

32 Branch
x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: renesd, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
Build ID: 20140825202822

Steps to reproduce:

Trying to set a cookie when Access-Control-Allow-Credentials:true header is returned from the server, and withCredentials is set in JavaScript land should work.  It works in other browsers like Chrome.

See here for an example referenced from the spec.
http://arunranga.com/examples/access-control/credentialedRequest.html

Click that once, and you should see a Set-Cookie: pageAccess=1; in the headers returned by the server. Click it again to see that number incremented (it's not in firefox).


Actual results:

It should be setting a cookie, but it is not.




Expected results:

It should be setting a cookie, but it is not.

In other browsers it sends the header "Set-Cookie: pageAccess=2;..." on the second click.
Here is the Mozilla Developer Network page "Access-Control-Allow-Credentials" section: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control#Access-Control-Allow-Credentials

The "Requests with credentials" section is also relevant (this is where I found the example which is not working in Firefox): https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials
I had Settings->Privacy-> Accept-third-party cookies: never set.  So this behaviour is expected.  When I changed it to Always it worked again.  This does break CORS for a lot of use cases however.

A warning for why the Set-Cookie fails would be nice, but I guess this bug can be closed.
Component: Untriaged → Networking: Cookies
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.