Open Bug 1388873 Opened 7 years ago Updated 1 year ago

cookies methods (e.g. cookie.getAll) returns stale (expired) cookies

Categories

(WebExtensions :: Compatibility, defect, P3)

Product:
WebExtensions
Component:
Compatibility
Version:
54 Branch
Type:
defect

Tracking

(Not tracked)

People

(Reporter: robwu, Unassigned)

References

Details

The cookies API returns stale cookies, i.e. cookies that have expired and are not visible to web pages. STR. 1. Visit example.com 2. Open the console, run the following: document.cookie = 'cookiename=value; max-age=1'; console.log(document.cookie || '<empty>'); setTimeout(function() { console.log(document.cookie || '<empty>'); }, 2000); // prints "cookiename=value" to show that the cookie is set // and "<empty>" to show that the cookie is gone. 3. Run the following to confirm that the cookie has expired: document.cookie 3. Install an extension with the cookies permission, call: chrome.cookies.getAll({name: 'cookiename'}, console.log); (or install https://addons.mozilla.org/en-US/firefox/addon/a-cookie-manager/ (version 1.2 or 1.3), enter "cookiename" in the name field and press the "Search" button). Expected result: - The chrome.cookies.getAll call should not return any results. Actual result: - chrome.cookies.getAll returns cookies that have expired. - Note: Services.cookies.enumerator, Services.cookies.getCookiesFromHost, Services.cookies.getCookiesWithOriginAttributes all include stale cookies.
Priority: -- → P2
Priority: P2 → P3
Product: Toolkit → WebExtensions
I actually like it this way, since I can detect and then remove stale cookies with my extension. If you do consider this bugticket, please make it optional.

This is causing issue for the Cookie AutoDelete extension. await browser.cookies.getAll({storeId: "firefox-default"}) returns all cookie (even expired) and the extension then try to remove them with browser.cookies.remove(...), but the method won't remove expired cookies. So the extensions will try over and over again to remove the expired cookies.

Extensions authors shouldn't be required to check if the cookie is expired, Firefox should handle that.

I can't confirm that. I can delete expired cookies just fine with my extension. If your cookie doesn't get deleted, it's based on some other issue.

Maybe you are facing bug 1440263

(In reply to Lusito from comment #3)

I can't confirm that. I can delete expired cookies just fine with my extension. If your cookie doesn't get deleted, it's based on some other issue.

#719 contains a bit more info. I just did some further testing:

$ await browser.cookies.getAll({storeId: "firefox-default"})
[...]
  {
    "name": "steamCountry",
    "value": "XXXX",
    "domain": "store.steampowered.com",
    "hostOnly": true,
    "path": "/",
    "secure": true,
    "httpOnly": false,
    "sameSite": "no_restriction",
    "session": true,
    "firstPartyDomain": "",
    "storeId": "firefox-default"
  },
[...]
$  await browser.cookies.getAll({domain: "store.steampowered.com"})
Array []
$ await browser.cookies.remove({url: "https://store.steampowered.com", name: "steamCountry", storeId: "firefox-default"})
null
$ await browser.cookies.getAll({storeId: "firefox-default"})
[...]
  {
    "name": "steamCountry",
    "value": "XXXX",
    "domain": "store.steampowered.com",
    "hostOnly": true,
    "path": "/",
    "secure": true,
    "httpOnly": false,
    "sameSite": "no_restriction",
    "session": true,
    "firstPartyDomain": "",
    "storeId": "firefox-default"
  },
[...]
// visit store.steampowered.com and close the tab
$ await browser.cookies.remove({url: "https://store.steampowered.com", name: "steamCountry", storeId: "firefox-default"})
Object { url: "https://store.steampowered.com", name: "steamCountry", storeId: "firefox-default", firstPartyDomain: "" }
$ await browser.cookies.getAll({storeId: "firefox-default"})
[...]
  {
    "name": "steamCountry",
    "value": "XXXX",
    "domain": "store.steampowered.com",
    "hostOnly": true,
    "path": "/",
    "secure": true,
    "httpOnly": false,
    "sameSite": "no_restriction",
    "session": true,
    "firstPartyDomain": "",
    "storeId": "firefox-default"
  },
[...]

So I assume the cookie database is corrupted somehow or some logic is broken (?). Anyways it is probably some other issue.

Do you maybe have first party isolation enabled? In that case the steamCountry cookie is from before you enabled first party isolation. That would at least explain why the second getAll doesn't return anything and remove returns null.

Try setting firstPartyDomain to null in getAll and remove to ensure firstPartyDomain gets ignored. See: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/cookies/getAll

(In reply to Lusito from comment #6)

Do you maybe have first party isolation enabled?

Thanks for the hint! I think the issue is caused by "Dynamic First Party Isolation":

$ await browser.cookies.getAll({domain: "store.steampowered.com", firstPartyDomain: null})
Array(5) [ {…}, {…}, {…}, {…}, {…} ]

I still can't remove the cookie though:

$ await browser.cookies.remove({"firstPartyDomain": null, "storeId": "firefox-default", "name": "steamCountry", "url": "https://store.steampowered.com/"})
null

So it is unrelated to this bug. Feel free to join the discussion in #719 if you have any more inputs :)

See Also: → 1669716

Thanks for raising this issue. That issue is unrelated to this bug report, so I have filed a new bug report to cover it (bug 1669716).

If you have anything to add, please add your comments in in bug 1669716.

Severity: normal → S3

For 6 years the bug has not been fixed...

Someone should add to MDN that get() and getAll() returns expired (bug 1388873) and unsorted (bug 1818968) cookies.

You need to log in before you can comment on or make changes to this bug.