Home > other >  How to set session cookies with `__Host-` prefix in Electron?
How to set session cookies with `__Host-` prefix in Electron?

Time:12-01

I'm trying to run Electron in headless mode to fetch content on remote server which requires cookies with prefix __Host-. However, the old code used to run

    var cookie = {
            url: cookieurl,
            name: cookiename,
            value: cookievalue
    };
    win.webContents.session.cookies.set(cookie)
    .then(function(result)
    {
        loadUrl(win, indexUrl, output);
    })
    .catch(function(e)
    {
        throw Error("Failed to load cookie, e=" e);
    });

and this seems to work just fine as long as cookiename does not start with __Host-. When I try to set cookie with prefix __Host- I get following exception instead:

Error: Failed to parse cookie

However, this limitation is not documented at https://www.electronjs.org/docs/latest/api/cookies

CodePudding user response:

This detail is not documented in the official documentation at https://www.electronjs.org/docs/latest/api/cookies but it's a logical result of other rules. Specifically the Set-Cookie HTTP header is defined to follow these rules:

<cookie-name>=<cookie-value>
...
Note: Some <cookie-name> have a specific semantic:

__Host- prefix:
Cookies with names starting with __Host- must be set with the secure flag, must be from a secure page (HTTPS), must not have a domain specified (and therefore, are not sent to subdomains), and the path must be /.
...
Attributes
...
Secure Optional
Indicates that the cookie is sent to the server only when a request is made with the https: scheme (except on localhost), and therefore, is more resistant to man-in-the-middle attacks.

Note: Do not assume that Secure prevents all access to sensitive information in cookies (session keys, login details, etc.). Cookies with this attribute can still be read/modified either with access to the client's hard disk or from JavaScript if the HttpOnly cookie attribute is not set.

Insecure sites (http:) cannot set cookies with the Secure attribute (since Chrome 52 and Firefox 52). For Firefox, the https: requirements are ignored when the Secure attribute is set by localhost (since Firefox 75).

Specifically, you cannot set cookie with name starting with __Host- prefix without also specifying secure. As a result, setting cookie as described in the question fails. Unfortunately, the exception is just Error: Failed to parse cookie instead of Error: cannot set cookie with "__Host-" prefix without also setting "secure" attribute.

Following should work as expected:

    var cookie = {
            url: cookieurl,
            name: cookiename,
            value: cookievalue,
            secure: true,
            // httpOnly: true,
            // sameSite: "lax",
    };
    win.webContents.session.cookies.set(cookie)
    .then(function(result)
    {
        loadUrl(win, indexUrl, output);
    })
    .catch(function(e)
    {
        throw Error("Failed to load cookie, e=" e);
    });

The above example also has httpOnly and sameSite attributes in comments to work as a reminder that you probably want to consider these attributes, too.

Page link:https//www.codepudding.com/other/211015.html

Prev:Is it possible to use SQLMAP against an ODBC driver connection?
Next:On-prem to cloud vulnerability scanning
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding