ResponseCookies#delete
does not work with __Secure-
/__Host-
cookie prefixes.
#56632
Open
1 task done
Labels
bug
Issue was opened via the bug report template.
Link to the code that reproduces this issue
https://codesandbox.io/p/sandbox/suspicious-worker-939hzv
To Reproduce
set-cookie
headers for the two requests in Web Inspector:Current vs. Expected behavior
The two buttons both attempt to delete a cookie. The
"Delete Cookie"
button demonstrates the current unexpected behavior. The"Delete Cookie (with set)"
button demonstrates a workaround.Delete Cookie
This button uses
ResponseCookies#delete
. It attempts to delete a cookie that uses the__Secure-
prefix. When a cookie uses this prefix, it must use theSecure
attribute, both when setting the cookie and deleting it, otherwise theset-cookie
header will be blocked by the browser.Expected Behavior
The
set-cookie
header should include theSecure
,HttpOnly
, andSameSite=none
attributes.Current Behavior
The
set-cookie
header does not include theSecure
,HttpOnly
, andSameSite=none
attributes.Warning
As the
set-cookie
header has the__Secure-
, but does not use theSecure
attribute, it is blocked by the browser:Delete Cookie (with set)
This button uses
ResponseCookies#set
as a workaround. It attempts to delete a cookie that uses the__Secure-
prefix. When a cookie uses this prefix, it must use theSecure
attribute, both when setting the cookie and deleting it, otherwise theset-cookie
header will be blocked by the browser.The
set-cookie
header does include theSecure
,HttpOnly
, andSameSite=None
attributes, as expected.Verify canary release
Provide environment information
Operating System: Platform: linux Arch: x64 Version: #1 SMP PREEMPT_DYNAMIC Sun Aug 6 20:05:33 UTC 2023 Binaries: Node: 20.7.0 npm: 10.1.0 Yarn: 1.22.19 pnpm: N/A Relevant Packages: next: 13.5.5-canary.4 eslint-config-next: 13.5.4 react: 18.2.0 react-dom: 18.2.0 typescript: 5.2.2 Next.js Config: output: N/A
Which area(s) are affected? (Select all that apply)
App Router
Additional context
No response
The text was updated successfully, but these errors were encountered: