Critical error: cookie set by JavaScript should not be sent over HTTP

Jake456 · July 31, 2021, 7:43pm

https://browseraudit.com picks up one critical error with Brave (in my case running on Mac OS)
= cookie set by JavaScript should not be sent over HTTP

rosiecar · July 31, 2021, 7:55pm

This post has nothing to do with Brave Rewards. I recommend you move it to the Desktop Support category.

Rethanis · August 1, 2021, 1:48pm

github.com/brave/brave-browser

Block `Cookie set by JavaScript should not be sent over HTTP`

opened 11:02AM - 14 Feb 21 UTC

closed 08:04AM - 18 Feb 21 UTC

ryanbr

privacy closed/not-actionable OS/Android OS/Desktop

## Description When visiting `https://browseraudit.com/` We get one critical issue related to Cookies over http ## Steps to Reproduce 1. Open `https://browseraudit.com/` 2. Let it complete it run 3. End of the benchmark run, it will show scores, with one "Critical". (See Screenshot below) ## Actual result: ![browseraudit1](https://user-images.githubusercontent.com/1659004/107874194-adc3f480-6f1c-11eb-80db-6b049412cf2d.png) ![browseraudit](https://user-images.githubusercontent.com/1659004/107874199-b7e5f300-6f1c-11eb-854e-3963a7719904.png) ## Expected result: Block `Cookie set by JavaScript should not be sent over HTTP` ## Reproduces how often: Easily reproduced ## Brave version (brave://version info) `Version 1.20.103 Chromium: 88.0.4324.152 (Official Build) (64-bit)` ## Version/Channel Information: - Can you reproduce this issue with the current release? Yes - Can you reproduce this issue with the beta channel? Yes - Can you reproduce this issue with the nightly channel? Yes ## Other Additional Information: - Does the issue resolve itself when disabling Brave Shields? No - Does the issue resolve itself when disabling Brave Rewards? - Is the issue reproducible on the latest version of Chrome? ## Miscellaneous Information: Issue was discussed on Twitter, I've created this report to detail the issue **Firefox passes test (Denys js setting cookies via http)** ![firefox-browser-audit](https://user-images.githubusercontent.com/1659004/107874532-27f57880-6f1f-11eb-8663-468aacd0c816.png) **Chrome:** ![chrome-browser-audit](https://user-images.githubusercontent.com/1659004/107874557-507d7280-6f1f-11eb-84cb-07810ad5242a.png) cc: @pes10k

According to @pes, Director of Privacy:

So turns out this is a test bug. Chromium automatically upgrades the request to HTTPS, which causes the cookie to be sent (bc its now HTTPS) which confuses the test (which doesn’t expect the upgrade and so doesn’t expect the cookie). Firefox seems to not upgrade the request, which is what causes the test to be green for them.

Topic		Replies	Views
Browseraudit.com - cookie set by JavaScript should not be sent over HTTP Desktop Support linux	2	893	May 11, 2020
Critical secruity issues? Nightly Builds windows	11	1174	October 16, 2020
MacOs Brave issue Desktop Support macos	2	303	November 4, 2024
Brave not upgrading to HTTPS Web Compatibility https	0	456	February 20, 2021
Disabling "Upgrade connections to HTTPS" is not working Desktop Support linux	2	1652	June 22, 2020
Cookie popup on websites keeps appearing on https://www.telegraaf.nl Desktop Support windows	7	1248	July 16, 2019
Brave keeps Redirecting http to https incessantly Web Compatibility windows , android	13	887	December 13, 2024
Accept external content button not working in Brave only Ad-Blocking feature-request	6	625	November 6, 2023

Critical error: cookie set by JavaScript should not be sent over HTTP

Related topics