Inconsistency: cookies.get[All]

[Dalzhim]

Summary

Safari does not return Cookies with HttpOnly flag while Chrome and Firefox do

Current behavior

Assuming host permissions for the domain, the code below returns all the cookies on Chrome and Firefox, but HttpOnly flagged cookies are excluded by Safari.

chrome.cookies.get({name: "__Secure-token", url: "https://example.com"}).then(cookie => cookie.value).then(console.log).catch(console.log);
chrome.cookies.getAll({url: "https://example.com"}).then(console.log).catch(console.log);

Expected behavior

I would expect HttpOnly flagged cookies to be returned on Safari as well. My understanding is that HttpOnly is meant to mitigate against XSS attacks which means arbitrary javascript code executing in the context of a regular web page can't access them. Even though Web Extensions are implemented in JavaScript, they are extending the browser's behavior and should have access to these cookies the same way the browser does.

[xeenon]

This is has been fixed (not shipping yet).

https://github.com/WebKit/WebKit/blob/8ec200dbd45df59fffbda714a9e4b8d1ccc6ceb3/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPICookies.mm#L436

[Dalzhim]

Thank you for the quick fix! On a sidenote, do you believe these changes will also fix this other issue that was reported on the webkit bug tracker? https://bugs.webkit.org/show_bug.cgi?id=260676

[xeenon]

Not likely.

[Dalzhim]

This is has been fixed (not shipping yet).

https://github.com/WebKit/WebKit/blob/8ec200dbd45df59fffbda714a9e4b8d1ccc6ceb3/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPICookies.mm#L436

I have downloaded Safari Technology Preview 189 which seems to include the above fix but the issue is not resolved. As far as I can tell, the specific line pointed by the link you provided is used to register the cookie with the HttpOnly attribute, not to successfully query it.

[xeenon]

Safari Technology Preview does not use WebKit for extensions yet. Stay tuned.