feat: support host only cookies

cli/CHANGELOG.md

@@ -3,6 +3,10 @@
 
 _Released 03/1/2023 (PENDING)_
 
+**Features:**
+
+- It is now possible to set `hostOnly` cookies with [`cy.setCookie()`](https://docs.cypress.io/api/commands/setcookie) for a given domain. Addresses [#16856](https://github.com/cypress-io/cypress/issues/16856) and [#17527](https://github.com/cypress-io/cypress/issues/17527).
+
 **Bugfixes:**
 
 - Fixed an issue where cookies were being duplicated with the same hostname, but a prepended dot. Fixed an issue where cookies may not be expiring correctly. Fixes [#25174](https://github.com/cypress-io/cypress/issues/25174), [#25205](https://github.com/cypress-io/cypress/issues/25205) and [#25495](https://github.com/cypress-io/cypress/issues/25495).

cli/types/cypress.d.ts

@@ -3569,12 +3569,49 @@ declare namespace Cypress {
  action: 'select' | 'drag-drop'
  }
 
+ /**
+ * Options that control how the `cy.setCookie` command
+ * sets the cookie in the browser.
+ * @see https://on.cypress.io/setcookie#Arguments
+ */
  interface SetCookieOptions extends Loggable, Timeoutable {
+ /**
+ * The path of the cookie.
+ * @default "/"
+ */
  path: string
+ /**
+ * Represents the domain the cookie belongs to (e.g. "docs.cypress.io", "github.com").
+ * @default location.hostname
+ */
  domain: string
+ /**
+ * Whether a cookie's scope is limited to secure channels, such as HTTPS.
+ * @default false
+ */
  secure: boolean
+ /**
+ * Whether or not the cookie is HttpOnly, meaning the cookie is inaccessible to client-side scripts.
+ * The Cypress cookie API has access to HttpOnly cookies.
+ * @default false
+ */
  httpOnly: boolean
+ /**
+ * Whether or not the cookie is a host-only cookie, meaning the request's host must exactly match the domain of the cookie.
+ * @default false
+ */
+ hostOnly: boolean
+ /**
+ * The cookie's expiry time, specified in seconds since Unix Epoch.
+ * The default is expiry is 20 years in the future from current time.
+ */
  expiry: number
+ /**
+ * The cookie's SameSite value. If set, should be one of `lax`, `strict`, or `no_restriction`.
+ * `no_restriction` is the equivalent of `SameSite=None`. Pass `undefined` to use the browser's default.
+ * Note: `no_restriction` can only be used if the secure flag is set to `true`.
+ * @default undefined
+ */
  sameSite: SameSiteStatus
  }
 
@@ -6104,6 +6141,7 @@ declare namespace Cypress {
  value: string
  path: string
  domain: string
+ hostOnly?: boolean
  httpOnly: boolean
  secure: boolean
  expiry?: number

cli/types/tests/cypress-tests.ts

@@ -1063,6 +1063,14 @@ namespace CypressSetCookieTests {
  expiry: 12345,
  sameSite: 'lax',
  })
+ cy.setCookie('name', 'value', {
+ domain: 'www.foobar.com',
+ path: '/',
+ secure: false,
+ httpOnly: false,
+ hostOnly: true,
+ sameSite: 'lax',
+ })
  cy.setCookie('name', 'value', { log: true, timeout: 10, domain: 'localhost' })
 
  cy.setCookie('name') // $ExpectError

packages/driver/cypress/e2e/commands/cookies.cy.js

@@ -562,6 +562,40 @@ describe('src/cy/commands/cookies - no stub', () => {
  })
  })
  })
+
+ it('sets the cookie on the specified domain as hostOnly and validates hostOnly property persists through related commands that fetch cookies', () => {
+ const isWebkit = Cypress.browser.name.includes('webkit')
+
+ cy.visit('http://www.barbaz.com:3500/fixtures/generic.html')
+ cy.setCookie('foo', 'bar', { hostOnly: true })
+
+ cy.getCookie('foo').its('domain').should('eq', 'www.barbaz.com')
+ if (!isWebkit) {
+ cy.getCookie('foo').its('hostOnly').should('eq', true)
+ }
+
+ cy.getCookies().then((cookies) => {
+ expect(cookies).to.have.lengthOf(1)
+
+ const cookie = cookies[0]
+
+ expect(cookie).to.have.property('domain', 'www.barbaz.com')
+ if (!isWebkit) {
+ expect(cookie).to.have.property('hostOnly', true)
+ }
+ })
+
+ cy.getAllCookies().then((cookies) => {
+ expect(cookies).to.have.lengthOf(1)
+
+ const cookie = cookies[0]
+
+ expect(cookie).to.have.property('domain', 'www.barbaz.com')
+ if (!isWebkit) {
+ expect(cookie).to.have.property('hostOnly', true)
+ }
+ })
+ })
 })
 
 describe('src/cy/commands/cookies', () => {
@@ -785,7 +819,7 @@ describe('src/cy/commands/cookies', () => {
 
  it('#consoleProps', () => {
  cy.getCookies().then(function (cookies) {
- expect(cookies).to.deep.eq([{ name: 'foo', value: 'bar', domain: 'localhost', path: '/', secure: true, httpOnly: false }])
+ expect(cookies).to.deep.eq([{ name: 'foo', value: 'bar', domain: 'localhost', path: '/', secure: true, httpOnly: false, hostOnly: false }])
  const c = this.lastLog.invoke('consoleProps')
 
  expect(c['Yielded']).to.deep.eq(cookies)
@@ -938,7 +972,7 @@ describe('src/cy/commands/cookies', () => {
 
  it('#consoleProps', () => {
  cy.getCookies().then(function (cookies) {
- expect(cookies).to.deep.eq([{ name: 'foo', value: 'bar', domain: 'localhost', path: '/', secure: true, httpOnly: false }])
+ expect(cookies).to.deep.eq([{ name: 'foo', value: 'bar', domain: 'localhost', path: '/', secure: true, httpOnly: false, hostOnly: false }])
  const c = this.lastLog.invoke('consoleProps')
 
  expect(c['Yielded']).to.deep.eq(cookies)
@@ -955,7 +989,7 @@ describe('src/cy/commands/cookies', () => {
  })
 
  cy.getCookie('foo').should('deep.eq', {
- name: 'foo', value: 'bar', domain: 'localhost', path: '/', secure: true, httpOnly: false,
+ name: 'foo', value: 'bar', domain: 'localhost', path: '/', secure: true, httpOnly: false, hostOnly: true,
  })
  .then(() => {
  expect(Cypress.automation).to.be.calledWith(
@@ -1196,7 +1230,7 @@ describe('src/cy/commands/cookies', () => {
  .then(() => {
  expect(Cypress.automation).to.be.calledWith(
  'set:cookie',
- { domain: 'localhost', name: 'foo', value: 'bar', path: '/', secure: false, httpOnly: false, expiry: 12345, sameSite: undefined },
+ { domain: 'localhost', name: 'foo', value: 'bar', path: '/', secure: false, httpOnly: false, hostOnly: false, expiry: 12345, sameSite: undefined },
  )
  })
  })
@@ -1212,7 +1246,7 @@ describe('src/cy/commands/cookies', () => {
  .then(() => {
  expect(Cypress.automation).to.be.calledWith(
  'set:cookie',
- { domain: 'brian.dev.local', name: 'foo', value: 'bar', path: '/foo', secure: true, httpOnly: true, expiry: 987, sameSite: undefined },
+ { domain: 'brian.dev.local', name: 'foo', value: 'bar', path: '/foo', secure: true, httpOnly: true, hostOnly: false, expiry: 987, sameSite: undefined },
  )
  })
  })
@@ -1461,7 +1495,7 @@ describe('src/cy/commands/cookies', () => {
 
  Cypress.automation
  .withArgs('set:cookie', {
- domain: 'localhost', name: 'foo', value: 'bar', path: '/', secure: false, httpOnly: false, expiry: 12345, sameSite: undefined,
+ domain: 'localhost', name: 'foo', value: 'bar', path: '/', secure: false, httpOnly: false, hostOnly: false, expiry: 12345, sameSite: undefined,
  })
  .resolves({
  name: 'foo', value: 'bar', domain: 'localhost', path: '/', secure: true, httpOnly: false, hostOnly: true,
@@ -1494,7 +1528,7 @@ describe('src/cy/commands/cookies', () => {
 
  it('#consoleProps', () => {
  cy.setCookie('foo', 'bar').then(function (cookie) {
- expect(cookie).to.deep.eq({ name: 'foo', value: 'bar', domain: 'localhost', path: '/', secure: true, httpOnly: false })
+ expect(cookie).to.deep.eq({ name: 'foo', value: 'bar', domain: 'localhost', path: '/', secure: true, httpOnly: false, hostOnly: true })
  const c = this.lastLog.invoke('consoleProps')
 
  expect(c['Yielded']).to.deep.eq(cookie)
@@ -1688,7 +1722,7 @@ describe('src/cy/commands/cookies', () => {
  const c = this.lastLog.invoke('consoleProps')
 
  expect(c['Yielded']).to.eq('null')
- expect(c['Cleared Cookie']).to.deep.eq({ name: 'foo', value: 'bar', domain: 'localhost', path: '/', secure: true, httpOnly: false })
+ expect(c['Cleared Cookie']).to.deep.eq({ name: 'foo', value: 'bar', domain: 'localhost', path: '/', secure: true, httpOnly: false, hostOnly: false })
  })
  })
 

packages/driver/cypress/e2e/e2e/origin/cookie_login.cy.ts

@@ -725,6 +725,7 @@ describe('cy.origin - cookie login', { browser: '!webkit' }, () => {
  expect(Cypress._.omit(cookie, 'expiry')).to.deep.equal({
  domain: 'www.foobar.com',
  httpOnly: false,
+ hostOnly: true,
  name: 'key',
  path: '/fixtures',
  sameSite: 'strict',
@@ -853,6 +854,7 @@ describe('cy.origin - cookie login', { browser: '!webkit' }, () => {
  expect(Cypress._.omit(cookie, 'expiry')).to.deep.equal({
  domain: 'www.foobar.com',
  httpOnly: false,
+ hostOnly: true,
  name: 'name',
  path: '/',
  sameSite: 'lax',

packages/driver/src/cy/commands/cookies.ts

@@ -4,10 +4,7 @@ import Promise from 'bluebird'
 import $utils from '../../cypress/utils'
 import $errUtils from '../../cypress/error_utils'
 
-// TODO: add hostOnly to COOKIE_PROPS
-// https://github.com/cypress-io/cypress/issues/363
-// https://github.com/cypress-io/cypress/issues/17527
-const COOKIE_PROPS = 'name value path secure httpOnly expiry domain sameSite'.split(' ')
+const COOKIE_PROPS = 'name value path secure hostOnly httpOnly expiry domain sameSite'.split(' ')
 
 function pickCookieProps (cookie) {
  if (!cookie) return cookie
@@ -359,6 +356,7 @@ export default function (Commands, Cypress: InternalCypress.Cypress, cy, state,
  path: '/',
  secure: false,
  httpOnly: false,
+ hostOnly: false,
  log: true,
  expiry: $utils.addTwentyYears(),
  })

packages/extension/app/background.js

@@ -179,6 +179,8 @@ const setOneCookie = (props) => {
  }
 
  if (props.hostOnly) {
+ // If the hostOnly prop is available, delete the domain.
+ // This will wind up setting a hostOnly cookie based on the calculated cookieURL above.
  delete props.domain
  }
 

system-tests/projects/e2e/cypress/e2e/cookies_spec_baseurl.cy.js

@@ -256,13 +256,19 @@ describe('cookies', () => {
 
  _.times(n + 1, (i) => {
  ['foo', 'bar'].forEach((tag) => {
+ const domain = (i % 2) === (8 - n) ? expectedDomain : altDomain
+
  const expectedCookie = {
  'name': `name${tag}${i}`,
  'value': `val${tag}${i}`,
  'path': '/',
- 'domain': (i % 2) === (8 - n) ? expectedDomain : altDomain,
+ // eslint-disable-next-line object-shorthand
+ 'domain': domain,
  'secure': false,
  'httpOnly': false,
+ ...(domain[0] !== '.' && domain !== 'localhost' && domain !== '127.0.0.1' ? {
+ 'hostOnly': true,
+ } : {}),
  }
 
  if (defaultSameSite) {