0

The main question is: why the persistent cookies I set via JavaScript in a locally stored HTML page in Firefox are not loaded into document.cookie property despite being correctly shown in storage after restarting the browser? I've tried setting path to / and exact file path, SameSite to all possible values, HttpOnly and Secure are false.

The additional question is: what exactly is the grave danger in allowing such local cookies, since I've seen some claims about this not working "for security reasons" during my research on the topic?

P.S.: Since I've asked a simple question (I hope so) right here, without sending you to browse half the Internet, please, please read the question carefully to make sure the question you are answering and the one I've asked you is the same, and give me the real answer here too, in plain text. If you need to quote an RFC or Firefox's source code here to do this, please do so.

P.P.S.: Please, spare me the revelations of file:// cookies being "unreliable", I did my homework. What I want to know is not what but why, and if there's any workaround besides localStorage (which is "unreliable" too). The whole thing seems so stupid that I have a feeling I'm missing something obvious, but I haven't found the explanation yet.

Main Furr
  • 26
  • 5
  • Welcome to Stack Overflow! Please visit the [help], take the [tour] to see what and [ask]. Do some research - [search SO for answers](https://www.google.com/search?q=local+file+protocol+cookies+site:stackoverflow.com). – mplungjan Jul 29 '22 at 11:17
  • 1
    @mplungjan https://stackoverflow.com/questions/73165996/local-file-persistent-cookies-set-via-javascript-in-firefox-dont-work-desp – Andreas Jul 29 '22 at 11:32
  • @mplungjan, this is not a duplicate. The cookies are set and saved successfully, they're not loaded into DOM on browser restart. – Main Furr Jul 29 '22 at 11:41
  • That just means you can set them and not read them. Same as with an AJAX call to a server that is not supporting CORS, You can see the result in the network tab, but your browser code cannot access it unless you set some flags when starting the browser – mplungjan Jul 29 '22 at 12:05
  • The answer is the following: You cannot reliably set and retrieve cookies and localStorage (better choice than cookies if nothing needs to be sent to the server) from the file://// protocol. Set up a server or load your file onto a server of an ISP and you can set and read all the cookies and localStorage you want – mplungjan Jul 29 '22 at 12:09
  • It has nothing to do with CORS, as far as I'm concerned, also the origin is the same. And the cookies are set successfully, and they are also read successfully during the session. The problem is that local cookies are ignored in subsequent sessions, as if they were session cookies and were deleted, but they are not deleted and show correct data in developer tools. Just reopen the question, would you kindly? – Main Furr Jul 29 '22 at 12:16
  • I know it's "not reliable", and localStorage is also not supported by many browsers, I did my homework and not afraid of Google. What I need is an answer from someone who really knows what is going on and why, so I wouldn't need to study Firefox source or read tons of useless manuals for one answer. So, will you reopen it or not? – Main Furr Jul 29 '22 at 12:20
  • Why would you even load a website using `file://` protocol? – Konrad Jul 29 '22 at 23:42

1 Answers1

0

file: protocol is not same origin

13 years old FIREFOX Bug report

I have reopened. Here are the dupes I closed it with.

Tell me which of these does not give you an idea of why you cannot do what you want.

Sometimes the answer is just "You cannot do that"

mplungjan
  • 169,008
  • 28
  • 173
  • 236
  • In order of appearance: 1. The question is about Chrome not setting cookies at all, which is not my case. Chrome and some other browsers are not setting file:// cookies at all, and I've seen some claims it's "for security reasons". This is what the additional question is about. 2. The same. 3. Not about cookies, although it *has* a hint saying that "the browsers can not determine what is "same domain"" and a rather clumsy workaround which I will use if nothing helps. 4. About MS Edge, not the case, and no explanation why. 5. The answer is for Chrome again, and also no explanation. – Main Furr Jul 29 '22 at 13:00
  • 1. Question is about cookies; answer is applicable to all modern browsers: `Browsers do not store cookies for the file:// url protocol,`. 2. Same - why are you ONLY wanting replies involving FireFox? Most security issues are the same on all modern browsers. 3. localStorage is a better choice than cookies. Just me trying to be helpful to you. 4. Answer is relevant. 5. Firefox question. Answer: `Browsers do not store cookies for the file:// url protocol, although it may depend on the browser anyway` – mplungjan Jul 29 '22 at 13:50
  • The thing is Firefox *is* storing local cookies, which I said many times. It doesn't load them afterwards.So I want to understand if it can be persuaded to do so, and in addition - why the behavior of different browsers about this is so undefined, since local pages are not something nonexistent. Why Firefox? Because my little smart-lights-controller-in-a-page project is targeted for my apartment and I use Firefox. – Main Furr Jul 29 '22 at 14:01
  • So if you want this to work, you can use Chrome with the parameters. The reason described in the 13 year old firefox bug report I found for you. It is vigilant - misplaced or not - to not allow stuff that is not necessary - cookies is not used for persistence in the same browser anymore. They are only used if the server needs to know what is going on. You do not have a server so no need for cookies. DAMN SO is so flaky right now – mplungjan Jul 29 '22 at 14:09
  • Thanks for the info. No need to put so much effort in this though. Leave it be. I will use some workaround, localStorage or whatever. The question was addressed to someone who already knows the reason, to make it quicker if possible. And yes, the whole StackExchange is unstable, no details reported though. – Main Furr Jul 29 '22 at 14:32