Description
Current behavior
Cypress misbehaves when managing secure cookies on localhost.
Chromium
Cypress visits some path (e.g., /set-cookie) that sets a secure cookie. Then, Cypress visits another path (/) that reads the cookie value. On that second request, Cypress doesn't send the cookie. Chromium indicates the cookie is sent, but the web server doesn't receive it, and a MitM proxy shows the cookie is not in the request. If the cookie is not marked as secure, everything behaves correctly.
The attached reproduction repo provides the details about this test.
Cookie in devtools:
Request that pretends to send the cookie:
Intercepted request:
For comparison, here's the intercepted request when using an insecure cookie:
Firefox
In Firefox, the secure cookie is never set in the first place.
Devtools prints: Cookie “mySecureCookie” has been rejected because a non-HTTPS cookie can’t be set as “secure”. (Related: #16611)
Desired behavior
localhost is considered a secure browsing context, and the repro app works correctly outside of Cypress. Setting and transmitting a secure cookie on localhost should be successful. Failing that, Chromium should not lie about whether the cookie is being sent.
Test code to reproduce
Here's an app I put together that minimally reproduces the issue, with failing Cypress tests.
npm install, npm start to launch the web server, npm test to show the Cypress tests demonstrating the failure.
Cypress Version
8.7.0
Other
If I open a normal Chromium or Firefox instance, everything works correctly. This only happens under Cypress' automation.
Chromium version: 94.0.4606.81 (openSUSE Build) stable (64-bit)
Firefox version: 93.0 (64-bit)