cztomczak
Session cookies bug
Good afternoon!
I think I discovered a fairy bug in cef python related to session cookies. Session cookies that come with a server response are simply ignored by cef python and are not sent to that server on the next request. Because of this, some sites where client authentication is based on session cookies simply cannot be opened by any version of the cef python browser. At the same time, any external browser opens them without problems.
Example: https://partner.ingrad.ru. On the first call the server sends the browser the session cookie _JS_P=99,1800 for the following authorization, which the cef browser for some unknown reason (probably, a bug) does not even think to install (there is nothing in Dev Tools) and does not send it with the next request. As a result, the js-code on the authorization page, reading the empty cookie, is executed with an error and the site does not load.
After researching the issue, I found out that on other sites, session cookies are not set by the cef python browser either. The mail.yandex.ru email client, for example. All other browsers store session cookies there, but cef python does not.
I've bumped into the same issue doing a quick PoC with a web application which is using the Microsoft Authentication Library (MSAL) for Python.
This might be related to the handling of the SameSite flag.
With the "default" settings from pywin32.py, these are the results from the SameSite 🍪 sandbox:
With Chrome 97.0.4692.71 and its settings, the results look like this:
These are the results from cefclient.exe (cef_binary_96.0.18+gfe551e4+chromium-96.0.4664.110_windows64_client):
yes, because the latest cefpython is base on Chromium 66.0.3359.181, It's too old, It doesn't handle 'SameSite' flag correctly. we know, the latest version of the cef is base on Chromium 99.0+ now!
