fix(network): Include subdomains of localhost when including cookies (#35771)

simenbrekken · web-flow · commit c3c842c77b3d · 2025-06-10T13:54:52.000-07:00
diff --git a/packages/playwright-core/src/server/cookieStore.ts b/packages/playwright-core/src/server/cookieStore.ts
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-import { kMaxCookieExpiresDateInSeconds } from './network';
+import { isLocalHostname, kMaxCookieExpiresDateInSeconds } from './network';
 
 import type * as channels from '@protocol/channels';
 
@@ -30,7 +30,7 @@ export class Cookie {
 
   // https://datatracker.ietf.org/doc/html/rfc6265#section-5.4
   matches(url: URL): boolean {
-    if (this._raw.secure && (url.protocol !== 'https:' && url.hostname !== 'localhost'))
+    if (this._raw.secure && (url.protocol !== 'https:' && !isLocalHostname(url.hostname)))
       return false;
     if (!domainMatches(url.hostname, this._raw.domain))
       return false;
diff --git a/packages/playwright-core/src/server/network.ts b/packages/playwright-core/src/server/network.ts
@@ -43,14 +43,18 @@ export function filterCookies(cookies: channels.NetworkCookie[], urls: string[])
         continue;
       if (!parsedURL.pathname.startsWith(c.path))
         continue;
-      if (parsedURL.protocol !== 'https:' && parsedURL.hostname !== 'localhost' && c.secure)
+      if (parsedURL.protocol !== 'https:' && !isLocalHostname(parsedURL.hostname) && c.secure)
         continue;
       return true;
     }
     return false;
   });
 }
 
+export function isLocalHostname(hostname: string): boolean {
+  return hostname === 'localhost' || hostname.endsWith('.localhost');
+}
+
 // Rollover to 5-digit year:
 // 253402300799 == Fri, 31 Dec 9999 23:59:59 +0000 (UTC)
 // 253402300800 == Sat,  1 Jan 1000 00:00:00 +0000 (UTC)
diff --git a/tests/library/global-fetch-cookie.spec.ts b/tests/library/global-fetch-cookie.spec.ts
@@ -37,7 +37,7 @@ type StorageStateType = PromiseArg<ReturnType<APIRequestContext['storageState']>
 it.skip(({ mode }) => mode !== 'default');
 
 const __testHookLookup = (hostname: string): LookupAddress[] => {
-  if (hostname === 'localhost' || hostname.endsWith('one.com') || hostname.endsWith('two.com'))
+  if (hostname.endsWith('localhost') || hostname.endsWith('one.com') || hostname.endsWith('two.com'))
     return [{ address: '127.0.0.1', family: 4 }];
   else
     throw new Error(`Failed to resolve hostname: ${hostname}`);
@@ -140,6 +140,20 @@ it('should send secure cookie over http for localhost', async ({ request, server
   expect(serverRequest.headers.cookie).toBe('a=v; b=v');
 });
 
+it('should send secure cookie over http for subdomains of localhost', async ({ request, server }) => {
+  server.setRoute('/setcookie.html', (req, res) => {
+    res.setHeader('Set-Cookie', ['a=v; secure', 'b=v']);
+    res.end();
+  });
+  const prefix = `http://a.b.localhost:${server.PORT}`;
+  await request.get(`${prefix}/setcookie.html`);
+  const [serverRequest] = await Promise.all([
+    server.waitForRequest('/empty.html'),
+    request.get(`${prefix}/empty.html`)
+  ]);
+  expect(serverRequest.headers.cookie).toBe('a=v; b=v');
+});
+
 it('should send not expired cookies', async ({ request, server }) => {
   server.setRoute('/setcookie.html', (req, res) => {
     const tomorrow = new Date();
