Cookies are not set in production env. (Nodejs, angular) - javascript

I am working on my app and I have an issue with cookies. To be more specific - cookies are probably not send from an iPhone (chrome, safari).
Wierd part is that when I open my app on any other device (in production) everything works nice as I expect. Only on iPhone, cookies are not send with each request (I can see in the logs, that cookie object is null).
When I open my app on PC and inspect cookies in chrome dev tool, they are not there, but when I ran my app on dev server, everything works just fine and even cookies are in the dev tools.
Also, I am getting this warning in chrome, but i don't know if this has any association with my problem.
A cookie associated with a cross-site resource at domain.com was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.
Do you have any idea, why this is happening?
Thanks for your advices

Related

Service-worker 'periodicsync' with self-signed certificate

Setup:
I have an ESP32 running a HTTPs-Server with a self-signed certificate. It provides status information about some homeautomation-devices.
Now I built a Vue-based PWA that is served from a public HTTPs-Server with a regular certificate.
The PWA requests data from the ESP in the local network via https://192.168...
After installing the PWA on my mobile device, Chrome warns me that my PWA accesses content from an untrusted-cert https (which is perfectly reasonable for me).
As a workaround I have to do the following (only once): Access https://192.168... in Chrome, where I get the warning for 'NET::ERR_CERT_AUTHORITY_INVALID' and allow this untrusted access.
After this workaround the PWA works great with the ESP32 even after restarting and updating it.
I want to use the PeriodicSync-API to get the status from my ESP32 once a day and show a notification on my mobile device if something's not ok.
I setup the service-worker to listen for the periodicsync-event and then fetch() data from the ESP32 via https.
Problem:
This works correctly if I connect to my device via chrome://inspect/#devices and simulate the 'periodicsync'-event.
But if I leave the app alone for 12-24 hours and the regular periodicsync-event is finally triggered then fetch(...) catches an error with the following reason: TypeError: Failed to fetch
My guess (after spending many hours on that issue) is that this error relates to the untrusted certificate. It seems that chrome remembers that I agreed on the unsafe access as long as the PWA is open but it does not adopt this agreement for the service-worker.
Question:
Any ideas how to trust a self-signed-certificate in the service-worker or tell the service worker it should use the same permission as the PWA?
A no-go is:
starting browser with certain flags
using a paid long-term-certificate on the ESP32

Turn off the https requirement for https gated web APIs in Chrome and Firefox

Many modern Web APIs are gated by the browser to be HTTPS only. This is good for users but can make developing painful. During development I'd like to be able to turn off that requirement just for testing.
Is there a flag I can set (about:config in firefox, about:flags in chrome) or a command line parameter I can pass in to turn off that requirement so I can test without having to setup https certs and add them to the browser?
Note: I understand the https requirement is dropped for localhost but I'm often hosting on one machine (like a laptop) and testing on another (like an Android device) or a different desktop. I know I can generate a local cert and run a server that supports https. I then have to deal with security warnings on the browsers (invalid cert) and/or add the private certs to all the devices OR I have to register a domain solely for the purpose of getting a valid cert via letsencrypt. For my own dev I'd just like to temporarily turn off that check in the browser if possible. Of course what I actually serve to users will be https but during dev if I could turn off that requirement things would be so much easier.
In my particular case I'm trying to use WebXR so dev happens on my laptop but actual testing happens on an Android device where the page is served from my laptop.
One solution suggested here is to use Chrome's port forwarding
https://developers.google.com/web/tools/chrome-devtools/remote-debugging/local-server
That works for Chrome desktop to Android
On your desktop you tell desktop chrome what site at what port to forward to your android device at another port. That site can be a server on the internet or a server running locally on your desktop. On the android device you can then access that site at http://localhost:<port-you-specified>. https requirements are dropped for locahost host so you can now use the APIs that were restricted otherwise.
Chrome has a developer setting Insecure origins treated as secure in chrome://flags/, this is a text field where you can add a list of origins treated as secure for development purposes. (Via https://github.com/immersive-web/webxr/issues/60)

Chrome not sharing the cookie between the subdomains

When I use the value domain:".example.com" in my cookie, I expect it to support the subdomains xyz.example.com, abc.example.com etc
This works fine on mozilla firefox but does not seem to work on google chrome! On chrome it creates a new cookie for xyz.example.com which fails to serve the purpose.
Is this a known issue? Any help would be appreciated!
Thanks.
I know this is bit of a far fetch, but not all domains can have cookies set to them. https://publicsuffix.org/list/public_suffix_list.dat list is honored by Chrome, Firefox and Safari to mention the most popular browsers.
Assuming the above example.com would be s3-website-us-east-1.amazonaws.com very weird thing could be observed. The Set-Cookie header would be present in the response data, but browser's wouldn't display it in the network traffic inspector nor it would have any effect. Because the data is there, it can be observed via eg. curl.
Ref. RFC6265

Lync Presence: namectrl Permission denied issue in IE

I have created Lync Presence and successfully integrated in my SharePoint site. And its works file in my environment.
When i have deployed solution to production server it shows error in namectrl.ShowOOUI method.
Permission denied
Error looks like this. And also not work in Firefox in production which also works in my environment
After working on issue finally i found solution that i am accessing production site from different domain then production domain thats why i got this error.
Everything works great if we add the domain on IE to trusted sites.
IE requires that the domain be added to trusted sites.
To add domain in trusted sites.
IE settings > Internet Options > Security tab,
add your SharePoint site to trusted sites and uncheck protected mode.
One workaround is to host the Silverlight application on a server that users have access to. Then you only need trust that server.
Reference

Meteor.js Application does not support IE 9

We are developing an application using node.js and meteor.js, this application is working fine in Firefox, Chrome and IE 10, but when we try to browse this application in IE-9, it doesn't load.
I have investigated the request/response of both browsers (IE9, Firefox) and I have found that for XHR requests, IE 9 uses iframe polling instead of web sockets for data transfer. IE 9 does not maintain the cookies in this case and that causes 401 errors for every XHR request. So the cookie is not being sent in the iframe in IE 9.
I have investigated how we can enable cookies for the iframe, and I have found that we can achieve this using privacy policy platform (p3p). To enable the p3p you will have to add p3p key in response header and privacy.policy file in w3c folder inside the domain folder. I have done all of this.
But things are not working in my case, I have done a lot of R&D to set the different -2 key of p3p. But still facing the issue of loading the application in IE9.
You may not be able to get there from here.
But there's support in Flow Router apparently. Support appears to be package by package.
https://kadira.io/blog/meteor/flow-router-ie9

Categories