-
-
Notifications
You must be signed in to change notification settings - Fork 418
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: eraseCookies doesn't respect domain #718
Comments
Note that there is a test related to this that is passing but should fail because the "path" doesn't match: https://github.com/orestbida/cookieconsent/blob/master/tests/api.test.js#L180-L184 |
At the moment the plugin tries 2 attempts to delete a cookie: cookieconsent/src/utils/cookies.js Lines 331 to 332 in 3c8df8e
which explains your behaviour. As for the path thing, I cannot reproduce that; if I specify a wrong path, cookies are not deleted.
How would you do this with javascript? AFAIK you can't detect the path or domain where a cookie is set. |
@orestbida The function does not work as described. Please look at the following two things:
Please fix/add more tests to match the |
You said
What about You said
I find that to be true, which is the motivation for removing them completely in #717 Thank you for your patience. I may not have identified the problem completely correctly, but there is a problem and I think more unit tests will help flush it out. |
I've added tests here that show my understanding of how the |
The tests are flawed. You are setting a cookie in a specific path, but you can't see it, unless your current page corresponds to that exact path. You could add a condition to check if the cookie exists and that would fail, since it('Should erase cookie with specific path and domain', () => {
document.cookie = 'test_cookie5=21; expires=Sun, 1 Jan 2063 00:00:00 UTC; path=/ciao; domain='+location.host;
expect(api.validCookie('test_cookie5')).toBe(true); //fails
...
}); |
You CAN delete a cookie in a different path/domain, but you must know beforehand the path/domain. They can't be retrieved via javascript.
This is indeed deleting the cookies, and it's because of this #718 (comment). So that is indeed a bug. |
This reinforces my sense that the |
I already said twice that it DOES do something. You CAN delete a cookie by providing a path, but you can't test if it exists or not, so you have to know what was set where. Here is the most basic pure example: // set cookie in the /demo path
document.cookie = "test=d; expires=Fri, 31 Dec 2025 23:59:59 GMT; path=/demo";
// delete cookie, set on /demo, whether you are on the same path or not
document.cookie = "test=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/demo"; |
I recognize that you have multiple times stated that specifying You acknowledged that there is a bug. I'm trying to flush out its consequences on how If that is the case, then what is the difference of outcome between |
If you are on document.cookie = "test=d; expires=Fri, 31 Dec 2025 23:59:59 GMT; path=/demo"; that cookie can only be deleted by this: document.cookie = "test=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/demo"; these do not work: document.cookie = "test=; expires=Thu, 01 Jan 1970 00:00:00 UTC";
document.cookie = "test=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/other"; |
Thanks for bearing with me. I've updated the tests in #719 and it should now just be failing on the bug you mentioned, coming from cookieconsent/src/utils/cookies.js Line 331 in 3c8df8e
|
Simply deleting the first erase function might not be the best approach. Since we don't know how a cookie is set (with/without a specific domain), we have to try both by default. If a cookie is set with an explicit domain: document.cookie = "test=d; expires=Fri, 31 Dec 2025 23:59:59 GMT; domain=domain.com"; it can only be deleted with: document.cookie = "test=; expires=Thu, 01 Jan 1970 00:00:00 UTC; domain=domain.com"; // or .domain.com Instead, we should check if the user specifies a custom domain value. If a domain is provided, we should call the erase method with the domain parameter only. |
Affirmative. I've just pushed to #719 a possible approach. |
@orestbida Thank you again for putting up with my earlier misunderstanding related to |
Mhm, you are currently trying to delete the cookie 2 times, both with a specific domain field. If a cookie is set without a specific domain field it will not be deleted. This should technically do the job: if (!customDomain) {
erase(cookieName);
}
erase(cookieName, domain); |
The case
is covered in
|
... because the |
Expected Behavior
When a
domain
is specified, only cookies that match that domain should be deleted.Current Behavior
All cookies with name that match the
cookies
param are deleted.Steps to reproduce
Use
eraseCookies(/.*/, '/', 'specific.domain')
and see all cookies deleted even though they have a different domain.Proposed fix or additional info.
No response
Version
3.0.1
On which browser do you see the issue?
No response
The text was updated successfully, but these errors were encountered: