Closed Bug 1454806 Opened 7 years ago Closed 7 years ago

Addon does not remember cookies

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
59 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: czeidler, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Build ID: 20180326160923 Steps to reproduce: I'm working on an browser extension that authenticates with a remote server via XMLHttpRequests. Actual results: In Firefox (59.0.2) I have the problem that the session cookie send by the server is not stored in the browser. When looking at the network traffic I get a Set-Cookie response from the server for every request: Set-Cookie JSESSIONID=node01abks2u96hf84wt0i1uqwsb9879.node0;Path=/ but it seems that the cookie is never accepted or stored in the extension. Expected results: When looking at Chrome (where the extension is working) my extension includes this cookie in the request: Cookie: io=jCX1X9rlaOhCqE0nAAAB JSESSIONID=node01abks2u96hf84wt0i1uqwsb9879.node0 However, this is not the case in Firefox. Why is Firefox is not including the cookie in the request? and why is it not storing the cookie?
In order to reproduce this issue we need more information (steps, prerequisites, links, printscreens).
Flags: needinfo?(czeidler)
I setup a minimal addon that shows the problem: https://gitlab.com/czeidler/firefox-cookie-problem Open the debug view of the addon and select the network view. Then click the addon popup icon. This will trigger two requests to my server. The first reply contains a Set-Cookie header that is not reused in the second reply.
Flags: needinfo?(czeidler)
I found the reason why it is not working. Firefox handles a request from the popup as a cross domain request and does not set the cookie for this reason. Not sure if Chrome and Firefox should behave the same here or which solution is the better one. For this reason I close this bug. However, maybe somebody has a second thought about it... What I did to fix it: On the server: response.addHeader("Access-Control-Allow-Origin", request.getHeader("Origin")) response.addHeader("Access-Control-Allow-Credentials", "true") In the popup: connection.withCredentials = true;
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.