Document.cookie examples don't work

[lox-enterprises]

Request type

• [ ] Please close this issue, I accidentally submitted it without adding any details
• [ ] New documentation
• [x] Correction or update

Details

The examples on this page no longer work: https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie

It seems you cannot access document.cookie anymore from JavaScript, it always returns an empty string. I'm on Google Chrome/Linux.

Perhaps the examples should be removed and/or notice added.

[vkWeb]

@1202software @chrisdavidmills umm, I can try looking into what's going on.

[vkWeb]

After looking a bit on this I got to know that Google Chrome doesn't allow cookie reads / writes from file:// protocol. Other browsers allow that. Chrome allows cookie reads/writes from http protocol only: https://bugs.chromium.org/p/chromium/issues/detail?id=535.

[hamishwillee]

No, this is an issue due to expected security behaviour, as reported in https://support.google.com/chrome/thread/33543699?hl=en (i.e. related to SameSite and iframes). You can see these working if you load the source pages directly in chrome. https://mdn.mozillademos.org/en-US/docs/Web/API/Document/cookie$samples/Example_2_Get_a_sample_cookie_named_test2?revision=1591237

There are a couple of potential problems outlined there. The example is in an embedded iframe with a different domain.

<iframe class="live-sample-frame sample-code-frame" frameborder="0" height="36" id="frame_Example_1_Simple_usage" src="https://mdn.mozillademos.org/en-US/docs/Web/API/Document/cookie$samples/Example_1_Simple_usage?revision=1652690" width="200"></iframe>

From a SameSite cookie perspective on chrome this means that cookies will not be sent by default (it will be set to Lax).

To fix this, first I'd try modifying the examples to add the SameSite as shown - e.g.

document.cookie = "name=oeschger; SameSite=None; Secure;";

That will probably work, but it is possible that the iframe itself will put further restrictions on calling this API (doesn't appear to on quick scan of docs).

@chrisdavidmills Where are the examples on https://mdn.mozillademos.org actually stored/specified? making the change above to add SameSite=None; Secure; would do "no harm" IMO, though there will need to be a note added in docs.

PS. If that doesn't work then we'll have to look closer at the iframe itself. It may be that this has to be a link to example rather than embed. I'd kind of prefer that - only suggesting the samesite change because it gives us an opportunity to make some comments about how important SameSite is now.

[chrisdavidmills]

@hamishwillee that's a good question — I'm not really sure how to access those demos.

@escattone , do you how the answer to this?

I'd be in favor of moving those demos across to a repo somewhere under https://github.com/mdn/ at some point.

[escattone]

@chrisdavidmills I think @hamishwillee is right on here (thank you), but I probably won't be able to look into this in more detail until next week due to everything else going on for the launch of Yari a week from today.

[hamishwillee]

@escattone Just a reminder, that this one is still a problem.

[chrisdavidmills]

Issue moved to mdn/yari #2579 via ZenHub