Closed erkyrath closed 9 months ago
I was correct, but I don't know why. I was setting the cookie like this:
('Set-Cookie', '__Host-_xsrf=9b718205ccac1887910388dc0c019def; HttpOnly; Secure')
(This is a key-value pair for the wsgi API.) This works correctly in Safari and Firefox, but not Chrome. I have not been able to find documentation of what Chrome is doing differently.
As I understand it, the rules for __Host-
cookies are (a) you need Secure
; (b) you need to not set a Domain
; (c) you need to not set a Path
; (d) you need to be using https:. All of this is true.
Hm. Maybe I need to explicitly set Path=/
? I'll try that.
Yeah, I had to explicitly set Path=/
. Live and learn.
Mike Russo reported "XSRF mismatch" when testing with Chrome. Worked in Safari.
I'm sure this is Chrome failing to handle the
__Host-_xsrf
cookie correctly. I don't know if it's default behavior or if it only happens under a particular cookie handling preference. Will test further.