Status Update
No update yet.
Comments
ka...@google.com
ka...@google.com
jo...@gmail.com
I'm running the html file via http-server so that cookies can be set.
As you can see in the video, the interval keeps logging the cookie even though it has already disappeared from the browser after 6 seconds. Only when we open the application cookies tab, then we kind of force a state refresh and from that moment on document.cookie correctly logs undefined as there are no cookies.
pe...@google.com
ka...@google.com
Steps to reproduce :-
==============
1.Launched Google chrome
2.Opened the html file
3.Opened the console
Provided screencast with all observations
Attaching screencast for reference
@Reporter: Could you please review the attached screen-cast and let us know if we missed anything from our end. Please confirm if this is the issue you are pointing to and also requesting to provide a screencast of actual and expected behaviour for better understanding of the issue.
Thanks..!!
jo...@gmail.com
The steps shown in your attached screen-cast are missing an important aspect: you need to serve the html page via http-server (or similar server) so that cookies can actually be set (cookies can't be set on a blank statically served file, the browser needs a host/domain to associate the cookie with). In your screen-cast the interval always logs undefined (even during the first 6 seconds) because no cookie is ever set. Apologies, I should have made that more clear in the reproduction-steps to run the html file via a local server.
Once you run the html file via a local server, you will see that the interval will log the cookie forever even after 6 seconds have passed (at that moment the cookie actually has been deleted by the browser but document.cookie still holds it (this is the bug)).
pe...@google.com
ka...@google.com
Provided screencast with all my observations
Note:-1)To check regression range tested in all active milestones M-124, M-123,Observed same as teported version and in M-122
2)Also checked in older builds M-112, Provided screencast with all my observations
Attaching screencasts for reference
Reporter:-Could you please review the attached screencasts and let us know if we missed anything from our end and please confirm if this is the issue you are pointing to
Note: Shared the screencast of M-112 behvaiour,please review the attached screenshots and confirm in older build M-112 behaviour is good or bad?
Thanks..!!
jo...@gmail.com
Bottom line, it seems like you can't reproduce the issue. I will try to reproduce it on a different machine when I have time.
pe...@google.com
jo...@gmail.com
I simply manually create the cookie with a 6 second lifetime and keep logging document.cookie. You will see in the video that document.cookie continues to hold the value way longer than the 6 second lifetime.
[Deleted User] <[Deleted User]>
Test here:
ay...@google.com
pe...@google.com
ay...@google.com
pe...@google.com
ay...@google.com
Updating components for document.cookie, possibly network>cookies folks?
dy...@google.com
I think this is a DevTools bug? Does the Console cache the result of JS execution? I wonder if the cookie is available longer than the allotted time outside of DevTools Console, or if this in the Console only?
dsv@, could you provide any insight?
dy...@google.com
FWIW I was not able to reproduce this on 123.0.6312.59 on MacOS 14.3.1
jo...@gmail.com
The bug is not restricted to the dev tools context. I stumbled upon this bug within normal frontend application code in a situation where I check for the presence of a certain cookie (a dummy cookie that mirrors a httponly access jwt cookie) before making a network request. The function that was checking for it was returning true even when it was obvious that the cookie had already expired. Only if I double-checked within the application cookies tab or via a cookie inspector chrome extension before the function would run, then the function would run correctly as expected.
ka...@google.com
Hence considering it as variation-bisect
Variations Bisect Information:
---------------------------------------
Bisect Script: python3 bisect_variations.py --input-file="variations_cmd.txt" --output-dir=".\out" --browser=stable --url= "https://
Bisecting succeeded: --force-fieldtrials=*SecurityPageHats/Enabled_20240205/ --force-fieldtrial-params=SecurityPageHats.Enabled_20240205:probability/1/security-page-time/15s/security-page-trigger-id/c4dvJ3Sz70ugnJ3q1cK0SkwJZodD --enable-features=ReduceCookieIPCs<CombinedPowerExperimentV2_1 --disable-features=ReadAnythingOmniboxIcon<ReadAnythingOmniboxIconRollout
Issue reproduces on "https://
Olivierli@ Could you please help in providing your inputs on this issue.
Thanks..!!
ol...@google.com
Hello,
I've just reproduced this locally by setting document.body.innerhtmlinstead of using the console.
It reproduces 100% of the time.
Essentially I'm expecting net::CookieStore to issue notifications for expirations but I assume that since this bug has be found this is not the case.
I'll start by determining if that's the case and if not if there is anything we can do to make that happen.
mo...@chromium.org
InternalDeleteCookie calls expirations:
mo...@chromium.org
he...@gmail.com
Found this thread while looking for documentation of this behavior in Chromium.
We had reports of an issue for our customers and tracked it down to some ancient frontend logic that uses a cookie with a 1 min expiry to limit fetch requests to a backend, and discovered that Chromium based browsers like Chrome, Edge, Arc (but not Brave) had the same issue with "document.cookie" still returning/holding the cookie set.
Triggering a fetch call that would send any valid cookies to a backend, or asking dev tools to reevaluate the cookie list seems to trigger a refresh and the cookie then disappears. The test linked above from march '24 has the same result as my local test harness.
These have the issue:
- Chrome 127.0.6533.120
- Edge 127.0.2651.98
- Arc: 1.5.0.31351 (Chromium Engine Version 125.0.6422.142)
These do not have the issue:
- Brave: 1.68.137 (Chromium Engine Version 127.0.6533.100)
- Firefox
ol...@chromium.org
Hello,
Thanks for the added details.
Since the optimization to avoid IPCs is really a best-effort thing I think it'd be fine to simply issue ourselves a delayed task to invalidate the cached version.
I'm validating that
mo...@chromium.org
mo...@chromium.org
what makes this messy is that we traditionally noticed when trying to read it.... but the whole point of caching is to avoid the read.
eu...@gmail.com
I'm impacted too. Another way to reproduce this:
document.cookie = "testme=Banana; Max-Age=4";
let i = 0
setInterval(() => {
i++
console.log(i, document.cookie)
}, 1000)
In Firefox, it will start logging empty strings from i=4 (as it should). Chrome/Chromium will keep logging the initial value :(
ol...@google.com
@morlovich: Thanks for the pointer that's a good point.
Would you be OK with us implementing the incomplete solution as I figure out the real fix so we can unblock the users reporting in the bug right here?
mo...@chromium.org
Anyway, I am not totally opposed, but I am a bit worried about the number of timers that may be floating around --- some sites hit document.cookie writes kinda hard.
mo...@chromium.org
just have GetCookieString return an expiration time, that's just min of expiration time of non-session cookies returned.
Then that can also be checked to expire the cache.
The only problem is clock changing since it's base::Time, so the renderer and network service may have different ideas on what it is if it happens. (So some expirations may be lost, but if it's a small correction it's probably not a big deal?)
(The set improvements can then also include the expiration time of the new cookie, which can be min'd with the renderer's value, which is a conservative approximation).
ol...@chromium.org
Talking to dylancutler@ about this another idea would be to leverage GetAllForUrl() instead of GetCookiesString potentially.
If I'm not 100% clear on what are the existing behavior expectation with NTP changes and cookie expirations but since caching is best effort kind of thing we could probably invalidate the cached cookie value on the minimum of expected real elapsed time and potentially correct time.
Edit: Actually thinking about this more I feel like
The first time it will get the proper expiration, if it's updated through CookieJar it will be invalidated and lastly if the expiry is updated through an http header then the value is actually set and this should trigger:
mo...@chromium.org
Yeah, Benoit suggested this also when I asked. You would have to compute min of all cookie's expirations, but that's easy (just beware session cookies, those claim to be null but are max for purposes of this computation). Also probably need something to make sure there aren't too many timers... and clock change is still a headache.
dy...@google.com
Talking to dylancutler@ about this another idea would be to leverage GetAllForUrl() instead of GetCookiesString potentially.
For reference, GetCookiesString already forwards to this function anyway,
We would just have to move the net::BuildCookieLine call to the renderer which seems benign to me. GetAllForUrl is already used in renderers by the CookieStore API.
We can scan the list of returned cookies for the minimum expiration date (ignoring session cookies since they do not expire over time when a page remains open). In future calls, if the min date is in the past, we invalidate the cache and make a new IPC.
mo...@chromium.org
This is sort of interesting in combination with some of the put optimization ideas. e.g. imagine having a mini-CookieMonster locally, initialized from GetAllForUrl, and doing write though it for JS puts. Of course resyncing it with HTTP writes quickly becomes nightmarish, and it's not a cheap data structure....
ol...@google.com
Hello,
Just as an update I'm going to try to take this on this month and my plan is to implement the expiry task on the network service side with the minimal expiry (thanks Maks for the info on session cookies) on both setting, getting and change notification.
As I understand this will cover all cases:
- Expiry is set through JS as presented in this bug: Yes because delayed invalidation task posted on set.
- Expiry is set through HTTP response header: Yes because delayed invalidation task posted on change notification.
- Expiry was already set at time of first get: Yes because delayed invalidation task posted on first establishing the shared memory communication.
an...@gmail.com
We are impacted by this as well, also pretty sure that it used to work fine before as we had functionality that depends on it that used to work, but has broke a few months back.
We have found one workaround (see the updated snipped below with document.cookie = ''; line) but not sure if there's any unexpected side effects from applying this hack.
The below code works as expected and the cookie dies after 4 seconds as it should.
document.cookie = "testme=Banana; Max-Age=4";
let i = 0;
setInterval(() => {
i++;
document.cookie = ''; // Adding artificial call to manipulate cookie to force browser to remove expired cookies.
console.log(i, document.cookie);
}, 1000)
er...@microsoft.com
python tools/bisect-builds.py -a win -g 225315 -b 1185315 --verify-range -- --no-first-run
yields
Presumably we should also add a Web Platform Test for this?
ol...@chromium.org
Hello,
As an update on this I've coded up a solution that works here:
I've manually validated that it works and I'm going to add a browser test to detect if this ever regresses.
Since that's going to be enough to fully validate the behavior for Chrome a full WPT is out of scope for me in the context of this bug.
I do share the surprise that one never existed in the first place though.
ol...@chromium.org
ap...@google.com
Project: chromium/src
Branch: main
Author: Olivier Li <
Link:
Have RestrictedCookieManager invalidate shared cookie version on get.
Expand for full commit details
Have RestrictedCookieManager invalidate shared cookie version on get.
This keeps cookies from remaining accessible in clients past their
expiry.
Bug: 331061798
Change-Id: I01086cee71ed5dcf68d5d79e5dd1c6ae97c909f1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5845710
Reviewed-by: Maks Orlovich <morlovich@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Olivier Li <olivierli@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1416966}
Files:
- M
content/browser/renderer_host/cookie_browsertest.cc - M
services/network/restricted_cookie_manager.cc - M
services/network/restricted_cookie_manager.h
Hash: 140ade5d858d79025266df3876cf276300581b75
Date: Thu Feb 06 12:36:07 2025
Description
Steps to reproduce the problem
Problem Description
Chromium does not update document.cookie when it auto-deletes a cookie that has expired. Hence, document.cookie can contain wrong outdated values that actually no longer exist in the browser. It will only update document.cookie if triggered by some external interaction like inspecting cookies in the application tab of devtools. This problem does not happen in firefox.
Summary
document.cookie can still contain cookies that the browser has already deleted
Additional Data
Category: JavaScript
Chrome Channel: Not sure
Regression: N/A