browser.cookies.getAll does not work if site is in "Trusted Sites" security zone

Fixed Issue #13139289

Details

Author
Dominik H.
Created
Aug 8, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
40.15063
Reports
Reported by 13 people

Sign in to watch or report this issue.

Steps to reproduce

browser.cookies.getAll does not work if site is in the “Trusted Sites” security zone in the internet options.
If the site from which the cookies should be retrieved is IN the “Trusted Sites” security zone, always an empty array is passed to the callback function, regardless of the security level settings inside the zone.
In “Advanced Privacy Settings” all cookies are accepted.

I have tried the following (in a background script of the extension):

browser.cookies.getAll({}, function(allcookies) {
console.log(allcookies);
});

browser.cookies.getAll({url:"<web site url>"}, function(allcookies) {
console.log(allcookies);
});

browser.cookies.getAll({url:"<web site url>", storeId:"0"}, function(allcookies) {
console.log(allcookies);
});


What also does not work:

browser.cookies.getAllCookieStores does not list the affected tabs in the tabIds property, so there is no possibility to correctly assign the cookie store with the open tabs.
(If I have only opened the affected site in one tab, the array contains one store with id "0" and an empty tabIds array; If other sites (not in the “Trusted Sites” zone) are open too, these sites are listed in tabIds, but the site in the “Trusted Sites” zone is omitted).

If the site is NOT in the “Trusted Sites” zone (and not matched in any other security zone, I have not verified if the problem also occurs with other security zones), all works as expected (all cookies are delivered, and all tabs are listed in the cookie stores array).


Extension manifest permissions:

"permissions": [
"tabs",
"cookies",
"nativeMessaging",
"<all_urls>"
]


Does anybody know a workaround (besides removing the site from the “Trusted Sites” zone, which is not applicable in our case) for this?

Regards,
Dominik Hölzl

Attachments

1 attachment

Comments and activity

  • This BUG is a Major issue for our Edge Extension!
    Is there any possability to get rid of this issue?

  • This is very important for us as there is no other way to read HttpOnly cookies from our web sites.

  • Microsoft Edge Team

    Changed Assigned To to “James M.”

  • Hello,

    Thank you for providing this information about the issue. Please provide us with the reduced code as an Edge Extension, and any repro steps for your test.

    Best Wishes,
    The MS Edge Team

  • I have added an attachment to clearly and distinctly reproduce the problem.

    Steps:

    • Install and activate unpacked Edge Extension “ReadCookiesTestExtension”
    • Navigate to an arbitrary web site, e.g. “https://www.microsoft.com/
    • Optionally open F12 in the web site and the extension background page
    • Remove the site from all internet security zones ("Trusted Sites", "Local Intranet", “Restricted sites”)
    • Reload the site
    • Hit "Read all cookies from this page via extension", all cookies (HttpOnly included) should be displayed
    • Add the site to “Trusted Sites” security zone (e.g. adding “*.microsoft.com”)
    • Reload the site
    • Hit "Read all cookies from this page via extension", no cookies can be read
  • Microsoft Edge Team

    Changed Status to “Confirmed”

    Changed Status from “Confirmed” to “Fixed”

  • Hello,

    Thank you for providing this information about the issue. We are pleased to report this feature is fixed in Edge 16281 and is available in our latest Insider Preview build in the Fast ring.

    Best Wishes,
    The MS Edge Team

You need to sign in to your Microsoft account to add a comment.

Sign in