Closed Bug 1633511 Opened 6 months ago Closed 6 months ago

Network Request Cookies Panel SameSite is Case Sensitive


(DevTools :: Netmonitor, defect, P2)

77 Branch


(firefox78 fixed)

Firefox 78
Tracking Status
firefox78 --- fixed


(Reporter: dansoper, Assigned: Kage)


(Blocks 1 open bug)


(Keywords: good-first-bug)


(4 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36

Steps to reproduce:

Set a cookie from the server like this:
Set-Cookie: caseSensitive=1; secure; HttpOnly; SameSite=strict

Actual results:

In the Network tab, inspecting the request, Cookies tab, this shows up as
samesite: "None". If the original Set-Cookie is sent with "Strict", it shows up correctly - this is clearly a case-sensitivity issue.

Expected results:

It should show as samesite: "Strict".

Thank you for the bug. I don't see how Network panel is causing this, this moving this to the Network component for triage.

Component: Netmonitor → Networking: Cookies
Product: DevTools → Core

The cookies are set correctly. It is just the display in the Network panel that is wrong.

Just in case it wasn't clear what the issue was - the two attachments show the cookies in the header, and the cookies in the "Cookies" tab in the Network panel. As you can see, Lax and Strict cookies are displaying as "None", if they do not match the case exactly.

Although I'm brand new to looking at the Firefox codebase, I do think this is simply a display issue in the Network Panel - the cookies still behave correctly.

If I understand the report correctly, we handle the cookie correctly and just the information in the cookie tab is wrong. If so, it's netmonitor issue. If you think it's a necko bug, please describe how netmonitor gets the values that are displayed in the cookie tab.

Component: Networking: Cookies → Netmonitor
Product: Core → DevTools

Bomsy, could you help, please: Any idea how cookies are displayed incorrectly because of case sensitivity?

Flags: needinfo?(hmanilla)

I may be way off here - and apologies that I don't have the resources to download and build Firefox (yet) to test my theory.


parseSetCookieHeader(): this has a switch block which tests the incoming attribute. This attribute is raw, from the header. Yet it's comparing with the COOKIE_SAMESITE constant, which is formatted in Title Case ("Lax", "Strict" and "None").

I reckon, to resolve this, you'd want to add attribute = attribute.toLowerCase() and then in each of the switch cases change them to (e.g.) COOKIE_SAMESITE.LAX.toLowerCase().

Apologies again if this is wrong.

@dansoper is on point with Comment 8
The parseSameSiteAttribute function here compares the attribute against constants in COOKIE_SAMESITE here.

So it matches if the attribute is calmelcase e.g SameSite=Strict and it does not for SameSite=strict.

A fix would be as suggested above, convert both the attribute and the constants to .toLowerCase() here before comparing.

Flags: needinfo?(hmanilla)
Keywords: good-first-bug
Priority: -- → P2

I would like to take up this issue, would be my first contribution.

Nice! Assigned to you.

Assignee: nobody → 18kushaljain

Depends on D73540

Attachment #9146464 - Attachment is obsolete: true
Attachment #9146464 - Attachment is obsolete: false
Pushed by
Resolved case sensitive issue in Cookies Panel. r=bomsy
Added tests. r=bomsy
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 78
You need to log in before you can comment on or make changes to this bug.