Secure cookies not showing on insecure sites.

[Gunnar Brand]

There are a few cookie related topics on this list, some of them are related to changes made 

https://www.chromestatus.com/feature/4506322921848832 based on https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01

(which also triggered many many bug reports, e.g. https://bugs.chromium.org/p/chromium/issues/detail?id=704878 and https://bugs.chromium.org/p/chromium/issues/detail?id=711194), which is not a devtools "issue" per se.

But actually the devtools keep the developer in the dark when he/she stumbles upon it and tries to debugging the issue!

The problem is that the devtools will not show the secure cookies on the insecure site, even though they block setting a insecure version of the cookie as made with the change linked above and thus the developer cannot understand why it fails. Devtools should only filter cookies show to the developer by domain!

I have a test site with http on port 8080 and https on port 8443.

When I log in via http, I get a insecure session cookies that will be shown in the application:

Via https the same cookies are shown:

When I remove these cookies and log in via https, I get fresh secure cookies:

Now the insecure site will enter an endless login loop because the server will try to set insecure cookies, which Chrome will block as intended. But when I debug the insecure site will not see these cookies:

This is very frustrating and should be fixed.

Even if Chrome does not send secure cookies to an insecure site, cookies are not filtered by port, and so shouldn't the devtools. The devtools should show all cookies of a domain to the developer.

I am using Version 60.0.3112.101 (official) (64-Bit)

[PhistucK]

Cookies are shown for the origin (protocol, host, port), not for the domain, intentionally.

It is true that you are missing information in this specific scenario, but in general you only want to see the cookies that are will be exposed to the server/document and those are not exposed.

I would expect there to be a console warning or something similar, stating that the browser blocked setting a cookie due to this feature, but I would not expect them to show up in the normal cookies section.

☆PhistucK

--
You received this message because you are subscribed to the Google Groups "Google Chrome Developer Tools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-chrome-developer-tools+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-chrome-developer-tools/c12b14ce-e25d-4343-9401-ac41175842c9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Pavel Feldman]

I agree that this needs a fix, could you file a bug at crbug.com/new and post a link to it here? We could looks for the UX that would be understandable, for example surface secure cookies and dim them so that it was clear that they were not used.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-chrome-developer-tools/CABc02_LOgfpEn5Bf2O%3DpyR7T%3Dt1esQVRAhe1mqod5%2BO6vrBN8Q%40mail.gmail.com.

[Gunnar Brand]

I created a bug report: https://bugs.chromium.org/p/chromium/issues/detail?id=757472