1633511 - Network Request Cookies Panel SameSite is Case Sensitive

Status: RESOLVED FIXED

(DevTools :: Netmonitor, defect, P2)

Description

[dansoper]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36

Steps to reproduce:

Set a cookie from the server like this:
Set-Cookie: caseSensitive=1; secure; HttpOnly; SameSite=strict

Actual results:

In the Network tab, inspecting the request, Cookies tab, this shows up as
samesite: "None". If the original Set-Cookie is sent with "Strict", it shows up correctly - this is clearly a case-sensitivity issue.

Expected results:

It should show as samesite: "Strict".

Comment 1

[:Harald Kirschner :digitarald]

Thank you for the bug. I don't see how Network panel is causing this, this moving this to the Network component for triage.

Comment 2

[dansoper]

The cookies are set correctly. It is just the display in the Network panel that is wrong.

Comment 3

[dansoper]

Attachment: Sample Headers setting various cookies

Comment 4

[dansoper]

Attachment: How those cookies display in the Network/Cookies tab

Comment 5

[dansoper]

Just in case it wasn't clear what the issue was - the two attachments show the cookies in the header, and the cookies in the "Cookies" tab in the Network panel. As you can see, Lax and Strict cookies are displaying as "None", if they do not match the case exactly.

Although I'm brand new to looking at the Firefox codebase, I do think this is simply a display issue in the Network Panel - the cookies still behave correctly.

Comment 6

[Michal Novotny [:michal]]

If I understand the report correctly, we handle the cookie correctly and just the information in the cookie tab is wrong. If so, it's netmonitor issue. If you think it's a necko bug, please describe how netmonitor gets the values that are displayed in the cookie tab.

Comment 7

[:Harald Kirschner :digitarald]

Bomsy, could you help, please: Any idea how cookies are displayed incorrectly because of case sensitivity?

Comment 8

[dansoper]

I may be way off here - and apologies that I don't have the resources to download and build Firefox (yet) to test my theory.

devtools/shared/webconsole/network-helper.js

parseSetCookieHeader(): this has a switch block which tests the incoming attribute. This attribute is raw, from the header. Yet it's comparing with the COOKIE_SAMESITE constant, which is formatted in Title Case ("Lax", "Strict" and "None").

I reckon, to resolve this, you'd want to add attribute = attribute.toLowerCase() and then in each of the switch cases change them to (e.g.) COOKIE_SAMESITE.LAX.toLowerCase().

Apologies again if this is wrong.

Comment 9

[Hubert Boma Manilla (:bomsy)]

@dansoper is on point with Comment 8
The parseSameSiteAttribute function here compares the attribute against constants in COOKIE_SAMESITE here.

So it matches if the attribute is calmelcase e.g SameSite=Strict and it does not for SameSite=strict.

A fix would be as suggested above, convert both the attribute and the constants to .toLowerCase() here before comparing.

Comment 10

[Kushal Jain :Kage]

I would like to take up this issue, would be my first contribution.

Comment 11

[Hubert Boma Manilla (:bomsy)]

Nice! Assigned to you.

Comment 12

[Kushal Jain :Kage]

Attachment: Bug 1633511 Resolved case sensitive issue in Cookies Panel. r=pbro,gl

Comment 13

[Kushal Jain :Kage]

Attachment: Bug 1633511 Added tests. r=bomsy

Depends on D73540

Comment 14

[Pulsebot]

Pushed by hmanilla@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9c265a7900d0
Resolved case sensitive issue in Cookies Panel. r=bomsy
https://hg.mozilla.org/integration/autoland/rev/c01c4a696970
Added tests. r=bomsy

Comment 15

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/9c265a7900d0
https://hg.mozilla.org/mozilla-central/rev/c01c4a696970