htmlcookiesbrowserhttp-headers

Clear-Site-Data "*" : Different behavior in both Firefox and Chrome


I am facing an issue with:

Clear-Site-Data "*"

I have two domains using two web servers: a.mywebsite.com and b.mywebsite.com

'b' is an iframe in 'a'.

When I click logout, I call the logout first on b.mywebsite.com/logout and after a.mywebsite.com/logout.

b.mywebsite.com return in the html header Clear-Site-Data "*"

I noticed that in Firefox and Chrome, the behavior is diffrent.

in the Chrome browser: After calling b.mywebsite.com/logout and return html header Clear-Site-Data "*", it will clear all the cookies from all mywebsite.com, including a.mywebsite.com cookies, even though some cookies belong to only 'a'.

However, in Firefox, it only clears b.mywebsite.com or the common cookies between a and b.

This results in the Chrome user having their cookies cleared but not actually being logged out in the server side, as the server receives the request without any cookies.

Question : Can someone help me in aligning the Clear-Site-Data "*" behavior in Chrome with Firefox? I aim to Clear-Site-Data "*" clear only the cookies of site B or the common ones.

thanks.


Solution

  • There is a bug in the Chromium browsers related to how it handles the Clear-Site-Data header. Currently, when Clear-Site-Data is used in the Chromium browser, it cleans all cookies for any subdomain. In my case, this affects both website-a and website-b, contrary to the documentation, which suggests that it should only clean cookies for its subdomain. I implemented a workaround to solve the issue. I executed a fetch request to the logout page from website-a to clear the session on the server side without including the Clear-Site-Data header to clear the browser cookies. After that I triggered the logout page from website-b by embedding it in an iframe, triggering the header to clear site data. This approach effectively clears all cookies for website-a and website-b in Chromium browsers. To clean website-a in Firefox, I made a second request to website-a to request the logout page, but this time asking to include Clear-Site-Data to clean the browser cookies.