[MacOS / Linux] WebKit doesn’t set Secure cookies on localhost

[tauri-apps[bot]]

This issue has been upstreamed from https://github.com/tauri-apps/tauri/issues/2604

Describe the bug

Thank you for the amazing work, progress and transparency with the community.

I’m going through a challenge with WebKit. I’ll try to be a brief as possible.

My app is based on Nuxt, using Nuxt Auth with HTTPOnly and Secure Cookie, Axios, and connects to the backend through Axios proxy and withcredentials.

I found out that my app was not login in on Safari/Tauri. After taking a look when it comes to setting Secure cookies locally, not all browsers behave in the same way. For example, Safari doesn’t set Secure cookies on localhost, but Firefox and Chrome do.

To test, I generated a local SSL Certificate and it works on Safari and Tauri Dev but not on Tauri Build.

Set-Cookie: XSRF-TOKEN=eyJ0eXAiOiJK; expires=Fri, 08 Oct 2021 18:47:22 GMT; HttpOnly; Max-Age=2592000; Path=/; SameSite=Lax; Secure

References

https://web.dev/when-to-use-local-https/

Update

The same behavior is happening in the Linux environment.

[wusyong]

I'll take this issue as tracking issue for cookie support on all platforms. There should be some managers or APIs to set user data directory as db or cache. Here are possible feature I found so far:

• [x] Webview2: https://docs.microsoft.com/en-us/microsoft-edge/webview2/concepts/user-data-folder
• [ ] WkWebView: Searching...
• [ ] Webkit2gtk: Searching...

Any help is welcome!

[arnaudambro]

hi @wravery @amrbashir

I'm not specialist of cookie and I can't help you out unfortunately...

but I'm finding out that my app on macOS can't use cookie, it doesn't work :( in dev and in production, same result

is it something you say it can't be fixed ? or is it something that you plan to fix on your roadmap ?

thanks for the great job anyway, I just setup my whole webapp in tauri in a couple of hours, and it's working like a charm (except the cookie part)

👏

[Tragio]

@wusyong check this https://webkitgtk.org/reference/webkit2gtk/stable/WebKitWebsiteDataManager.html

WebKitWebsiteDataManager allows you to manage the data that websites can store in the client file system like databases or caches. You can use WebKitWebsiteDataManager to configure the local directories where the Website data will be stored, by creating a new manager with webkit_website_data_manager_new() passing the values you want to set.

Or https://webkitgtk.org/reference/webkit2gtk/stable/WebKitCookieManager.html

The WebKitCookieManager defines how to set up and handle cookies. You can get it from a WebKitWebsiteDataManager with webkit_website_data_manager_get_cookie_manager(), and use it to set where to store cookies with webkit_cookie_manager_set_persistent_storage(), or to set the acceptance policy, with webkit_cookie_manager_get_accept_policy().

Does this help?

[wusyong]

Custom protocol on Linux hasn't supported headers (but soon). We couldn't do this even we have the type. I think for the schedule on tauri. We better look into it again after 1.0

[henry40408]

Hi, I have created a simple repository to reproduce bug on different OS: https://github.com/henry40408/tauri-secure-cookies

I've tested it on Windows and Linux. The cookie is preserved on Windows but not on Linux.

I will test on macOS soon.

[keiya01]

MacOS seems to have some ristriction for getting cookies. ios - Getting all cookies from WKWebView - Stack Overflow

[FabianLars]

@henry40408 Your example (kinda) works fine on Linux for me. The thing that's missing is a custom WebContext with a user_data_directory which is used to store cookies. Once added it correctly saves the cookies for me. On that note, tauri does work fine with your example server too (again, on Linux) :/

Edit: Ahh but removing the https stuff makes it match the described behavior, at least if i understood the bug report correctly.

[icambron]

@wusyong A couple questions on this:

1. Is this object helpful for the macos case? https://developer.apple.com/documentation/webkit/wkwebsitedatastore?changes=latest_minor. I tried to see where it would fit into WKWebView's WebContext implementation, but got a bit lost, especially WRT the unsafe code where the WKWebViewConfiguration stuff is set up.
2. I don't think I understand something about the basics. Why is it necessary to customize the location of cookie storage? I'd have thought that by default it stores the cookies...somewhere, and that would be adequate.

I have a similar reproduction to @henry40408's (made before I found this issue), which you can see here: https://github.com/icambron/tauri-cookies. Works on Windows but not OSX, haven't tried Linux.

[FabianLars]

I don't think I understand something about the basics. Why is it necessary to customize the location of cookie storage? I'd have thought that by default it stores the cookies...somewhere, and that would be adequate.

At least on Linux you need to set a location for it to even store something. But this is not related to this issue, because normal cookies get saved fine, just not Secure/HttpOnly cookies (on custom protocols - http(s) schemes are fine).

[carmel]

Looking forward to the same functionality, as long as the cookie can be taken out without caring whether the cookie is of the secure or not. Looking forward to the 1.0 version.

[futurist]

Any progress in MacOS?

[wusyong]

I plan to look into this again, but I'll need a minimum reproducible example in wry. Probably both localhost and custom protocol.

[julian-amplica]

Apologies if this is unhelpful, but perhaps this discussion is relevant?

WebKit Bugzilla—Unable to set secure+httpOnly cookie for localhost in Safari from Node JS

I found both this issue and this linked issue when trying to diagnose cookie issues in E2E tests, and this comment from John Wilander (head of WebKit security) was very helpful:

Are you using a self-signed certificate for localhost and serving all of its resources over https? Secure cookies are not accepted from non-secure pages.