document.cookie does not support `Secure;`

[motss]

Describe the bug When setting a document.cookie with Secure;, document.cookie will become an empty string.

To Reproduce The following reduced test case shows that Secure; is not supported:

describe('test cookie', () => {
  it('test', () => {
    document.cookie = 'a=a; Secure; SameSite=Strict; path=/';

    expect(document.cookie).toBe('a=a'); // This fails due to document.cookie returns '';
  });
});

Expected behavior When running document.cookie = 'a=a; Secure; SameSite=Strict; path=/';, document.cookie should return a=a instead of ''.

Screenshots N/A

Device:

• Version: 12.10.3

• EnvInfo:

  System:
  OS: macOS 14.1.1
  CPU: (10) arm64 Apple M1 Max
  Memory: 1.51 GB / 64.00 GB
  Shell: 5.9 - /bin/zsh
  Binaries:
  Node: 21.0.0 - ~/Library/Caches/fnm_multishells/97445_1700298068565/bin/node
  npm: 10.2.0 - ~/Library/Caches/fnm_multishells/97445_1700298068565/bin/npm
  pnpm: 8.10.5 - /opt/homebrew/bin/pnpm
  bun: 1.0.12 - /opt/homebrew/bin/bun
  Managers:
  Cargo: 1.57.0 - ~/.cargo/bin/cargo
  Homebrew: 4.1.20 - /opt/homebrew/bin/brew
  pip3: 23.3.1 - /opt/homebrew/bin/pip3
  RubyGems: 3.0.3.1 - /usr/bin/gem
  Utilities:
  Make: 3.81 - /usr/bin/make
  GCC: 15.0.0 - /usr/bin/gcc
  Git: 2.42.1 - /opt/homebrew/bin/git
  Clang: 15.0.0 - /usr/bin/clang
  Curl: 8.1.2 - /usr/bin/curl
  Servers:
  Apache: 2.4.56 - /usr/sbin/apachectl
  SDKs:
  iOS SDK:
    Platforms: DriverKit 23.0, iOS 17.0, macOS 14.0, tvOS 17.0, watchOS 10.0
  IDEs:
  VSCode: 1.84.2 - /usr/local/bin/code
  Vim: 9.0 - /usr/bin/vim
  Xcode: 15.0.1/15A507 - /usr/bin/xcodebuild
  Languages:
  Bash: 3.2.57 - /bin/bash
  Perl: 5.30.3 - /usr/bin/perl
  Python3: 3.11.6 - /opt/homebrew/bin/python3
  Ruby: 2.6.10 - /usr/bin/ruby
  Rust: 1.57.0 - /Users/rongsen/.cargo/bin/rustc
  Databases:
  SQLite: 3.39.5 - /usr/bin/sqlite3
  Browsers:
  Chrome: 119.0.6045.105
  Safari: 17.1
  Safari Technology Preview: 17.4

Additional context N/A

[lsanwick]

I'm seeing the same issue, is there any way to resolve this?

[HiroshiOHSUGA]

I met the same and I could fix it.

My cases is vitest. I could fix by configuring url to https url.

    environmentOptions: {
      happyDOM: {
        url: "https://localhost:3000",
      },
    },

Possibly your tests are running on not https:// location. If a cookie was marked secure on http:// page, it is ignored by browser. This isn't happy-dom issue.

[motss]

A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can't access it easily. Insecure sites (with http: in the URL) can't set cookies with the Secure attribute. However, don't assume that Secure prevents all access to sensitive information in cookies. For example, someone with access to the client's hard disk (or JavaScript if the HttpOnly attribute isn't set) can read and modify the information.

That's a happy-dom issue because localhost is a secure context.