Skip to content

fix: correctly handle __Host and __Secure cookies when restoring state#1255

Merged
shadowusr merged 1 commit into
masterfrom
users/shadowusr/TESTPLANE-996.save-state-fixes
Jun 9, 2026
Merged

fix: correctly handle __Host and __Secure cookies when restoring state#1255
shadowusr merged 1 commit into
masterfrom
users/shadowusr/TESTPLANE-996.save-state-fixes

Conversation

@shadowusr

Copy link
Copy Markdown
Member

What's done?

Some websites use __Host and __Secure cookies. We currently may work with them incorrectly. These cookies are special (per google):

  • __Secure- cookies require an encrypted HTTPS connection and the Secure attribute to protect sensitive data from being intercepted or modified over insecure HTTP.

  • __Host- cookies enforce maximum isolation by locking the cookie strictly to the issuing domain and the root path (Path=/), blocking subdomains from stealing or overwriting it.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 69f70e201a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +20 to +23
const cookieWithoutDomain = { ...cookie };
delete cookieWithoutDomain.domain;

return { ...cookieWithoutDomain, path: "/", secure: true };

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve the saved host for __Host cookies

When a state file or data object contains a __Host- cookie for a host other than the currently open page, deleting domain leaves the cookie with neither domain nor url. The DevTools path then lets Puppeteer fill the missing URL from the current page, and WebDriver defaults a missing domain to the current document, so the restore writes the host-only cookie to the wrong host instead of the saved one. This corrupts restored auth state for flows that restore saved cookies after navigating to a different origin; use the saved domain to build a URL or require navigating to that host instead of dropping it completely.

Useful? React with 👍 / 👎.

@shadowusr shadowusr force-pushed the users/shadowusr/TESTPLANE-995.repl-instrumentation branch 2 times, most recently from 71d15d4 to 211b395 Compare June 8, 2026 21:25
Base automatically changed from users/shadowusr/TESTPLANE-995.repl-instrumentation to master June 9, 2026 09:26
@shadowusr shadowusr force-pushed the users/shadowusr/TESTPLANE-996.save-state-fixes branch from 69f70e2 to fb85436 Compare June 9, 2026 09:37
@pkg-pr-new

pkg-pr-new Bot commented Jun 9, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/gemini-testing/testplane@1255

commit: fb85436

@shadowusr shadowusr merged commit e3eca80 into master Jun 9, 2026
8 of 9 checks passed
@shadowusr shadowusr deleted the users/shadowusr/TESTPLANE-996.save-state-fixes branch June 9, 2026 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants