erkyrath
commented
9 months ago I was correct, but I don't know why. I was setting the cookie like this:
('Set-Cookie', '__Host-_xsrf=9b718205ccac1887910388dc0c019def; HttpOnly; Secure')(This is a key-value pair for the wsgi API.) This works correctly in Safari and Firefox, but not Chrome. I have not been able to find documentation of what Chrome is doing differently.
As I understand it, the rules for __Host- cookies are (a) you need Secure; (b) you need to not set a Domain; (c) you need to not set a Path; (d) you need to be using https:. All of this is true.
Hm. Maybe I need to explicitly set Path=/? I'll try that.
Mike Russo reported "XSRF mismatch" when testing with Chrome. Worked in Safari.
I'm sure this is Chrome failing to handle the
__Host-_xsrfcookie correctly. I don't know if it's default behavior or if it only happens under a particular cookie handling preference. Will test further.