Safari extension cookies not recognized/passed

Question

I've recently been porting a Chrome extension to Safari, and encountered this kind of error (bug, feature, etc.)

So, in global page i have a XMLHTTP request to a secure page which is available only after you login.

Example:

I simply login using browser - as usually you do on facebook or other secure pages
After that, in global page, I load a login-only-available xmlhttp - and it says i'm not logged in

it seems that global page somewhat has it's own cookies, so a secure page thinks i'm new

ps: in Chrome i can load that page and it thinks i'm acting on behalf of logged in user, so i guess there are some restrictions in Safari

pps: i heard there's a Block third-party cookies option in Safari, but even if i checked it to "Never block" it still doesn't work

Yes, I stuck with the same issue, and noticed it is reflecting after some seconds. Have you been able to solve this issue? — ManojMarathayil, Feb 07 '12 at 13:48
nope, there's an official bug filed in Mac support... but i still don't know if it's fixed. I had to reject supporting of Safari for this project i'm doing :( — Alex K, Feb 07 '12 at 19:42
What sets the cookie? If it is PHP, then it could be that the cookie is being set securely and/or as HTTP only (see http://php.net/setcookie), and is therefore not sent back by JavaScript/AJAX. — Ashley Strout, Feb 09 '12 at 21:36
@David, it's an extension, and if you have read my question you should notice that Chrome works as it should — Alex K, Feb 13 '12 at 19:03
@m m, i can't find a link, Apple is too bad with its bug tracker system - it looks like it's made in 90s — Alex K, Feb 13 '12 at 19:04
I'm sorry, the question wasn't completely clear to me. I did read it. — Ashley Strout, Feb 13 '12 at 19:04
Alex, do you happen to have the Apple bug ID even if no link? It might be helpful for reference. Also would be nice if someone had cross posted that bug to http://openradar.appspot.com — David, Jul 20 '13 at 20:08
yes, the ID is 9912992, and it is marked as duplicate of 9822361.. they didn't give the URL to that bug though, and i can't find a way to find it — Alex K, Jul 22 '13 at 08:54
is there a best practice for authenticating from a safari browser extension? How should we be doing it since cookies aren't persisting? — mc., Jul 07 '14 at 19:25

score 3 · Answer 1 · answered Nov 04 '12 at 10:57

3

Unfortunately the problem is still existent in safari 5.1.7 windows version.

I've found a workaround to pass login credentials (username/password pairs) to the global page using message passing and global page use them to login silently.

answered Nov 04 '12 at 10:57

John Saman

31
2

the global page... now that's interesting, so you pass all work to the global page and wait for the response async way? – Alex K Nov 05 '12 at 21:12
@John, can you elaborate on the process with code example? Funny your answer is deemed ok, when some SO posts require posting code samples. I'd like to figure out how to do this for a Safari toolbar extension. The toolbar HTML content and AJAX requests are all on the same "page". The page includes the JS for the AJAX calls. The XHR/AJAX calls need to send along the page's session cookie to get a proper response. I didn't have to do any special handling on Chrome, it just knew to do so. Don't know what exactly needs to be done on Safari. – David Apr 09 '15 at 23:41

score 1 · Accepted Answer · answered Jul 06 '12 at 23:27

1

I had that problem with Safari 5.1.2 for Windows, but after upgrading to the current version (5.1.7) the problem disappeared. Maybe they fixed it on some intermediate version. It is also working for me on a Safari 5.1.3 for Mac OS X.

answered Jul 06 '12 at 23:27

rsanchez

14,467
1
35
46

thanks! these are super news, now that means i can continue on Safari development as well :) – Alex K Jul 11 '12 at 07:50
Funny, for me it worked initially when I developed the Safari extension 5.x (forget exact version) and it worked on Windows and Mac. Since then it's stopped working on both in all versions of Safari that I can use 5.x+. So maybe for me, it used to work until Apple securitized Safari. – David Apr 09 '15 at 23:34

score 0 · Answer 3 · edited Mar 27 '15 at 12:19

0

Cookies must not be "Session cookies", they must be persistent. Set expiration date.

It needs to be done on server-side. In example, for Node.js/Express something like this:

var session = require('cookie-session');
…
var cookieExpires = new Date();
cookieExpires.setDate(cookieExpires.getDate() + 1); // Set 1 day cookie lifetime
…
app.use(
    session({
        …
        name: 'session',
        expires: cookieExpires
    }))
…

edited Mar 27 '15 at 12:19

A.L

10,259
10
67
98

answered Mar 26 '15 at 11:53

m_emelchenkov

1
3

You can also create cookies on client-side, for example with this jQuery plugin: http://plugins.jquery.com/cookie/ – A.L Mar 27 '15 at 00:42
@A.L You can, but usually server initiates session, not client. – m_emelchenkov Mar 27 '15 at 10:38
I don't understand why you're speaking of session, that's not mentioned in the original question. – A.L Mar 27 '15 at 10:44
So how would you deal with session cookies? Assuming you had no control of the server side. Or you are out of luck in this case? – David Apr 16 '15 at 01:22
@David. I am a talking about a case when you developing an extension for your own service and can modify server side. In case you work with 3rd-party service there is probably no good news except you may try to write a proxy web service. – m_emelchenkov Apr 16 '15 at 13:32

score 0 · Answer 4 · answered Feb 15 '12 at 15:19

Cookies can optionally be marked as either HttpOnly or Secure. If it's not passing them across, you are probably trying to access a HTTP resource on the same site from the HTTPS post-login landing page, so the browser won't allow the secure cookie to be sent over a non-secure link. Effectively, the HTTP and HTTPS sites are being treated as separate.

You either need to make sure that after login, you get the browser redirected to HTTP and set a HttpOnly cookie, or just do the XMLHttpRequest over HTTPS. This would be more secure and doesn't really add much server overhead (it used to when hardware was slow, but Google say that when Gmail went over to using HTTPS as a default, it didn't impact on server load more than a couple of percent).

Try setting the entire site to run over HTTPS and see if that fixes it. Also, use firebug and the firecookie extension to see whether the cookies have either of these options enabled (right hand two columns).

Firefox and Chrome both work well in both cases (https and http). It's a matter of how Safari handles cookies in extension — Alex K, Feb 15 '12 at 19:38
Yeah i'm having this same issue? Has anyone found a solution? — mc., Jul 07 '14 at 19:23

Safari extension cookies not recognized/passed

4 Answers4