Can't set cookie in Excel Office Add-in from server

[b-gonzalez]

I wrote some code to set an HttpOnly cookie from my backend this weekend. I tested the code and it works correctly in a few different web browsers (Chrome, Firefox, and Edge) and in Postman. However, when I tried using it in an Office.js add-in, it did not work. The cookie is not showing as available in DevTools.

The issue is not related to it being an HttpOnly cookie. I can remove the HttpOnly parameter but the cookie is still not being set from the backend.

Your Environment

• Platform [PC desktop, Mac, iOS, Office on the web]: Desktop
• Host [Excel, Word, PowerPoint, etc.]: Excel
• Office version number: Microsoft® Excel® for Microsoft 365 MSO (Version 2506 Build 16.0.18925.20000) 64-bit
• Operating System: Windows
• Browser (if using Office on the web): N/A

Expected behavior

I expect that setting the cookie from the backend will set the cookie. This cookie, if not HttpOnly, should be available in document.cookie. And if HttpOnly, should be available in the cookies in the request.

Current behavior

I am not able to set any type of cookie from my backend as far as I an tell.

Steps to reproduce

Create a web server with a route that writes a cookie from the backend. Call this route from an Office.js add-in. If the cookie is not HttpOnly, after the route is called, check document.cookies in DevTools. Document.cookies should not have the cookie that should have been set by the backend. But if you test with the browsers I listed previously or with Postman it should be available.

You can see the below code as an example with Express.js:

import express from "express";
import cookieParser from 'cookie-parser'
import { serialize, CookieSerializeOptions } from 'cookie';

const port = 3000;

export let app = express();

app.use(cookieParser());

const options:CookieSerializeOptions = {
    secure: false, //needs to be set to false to work correctly with Postman
    sameSite: "strict",
    maxAge: 60 * 60 * 24 * 30,
    path: '/',
  }

app.get('/test', function(req, res) {
  let token = "test_cookie"

  const serialized = serialize('test', token, options);
  res.setHeader('Set-Cookie', serialized);
  res.status(200).json({
    testSuccess: true,
  });
})

app.listen(port, () => {
  console.log(`Listening on port ${port}`);
});

Context

I'm not able to set HttpOnly cookies which presents a security risk e.g. with XSS.

[github-actions]

Regression Analysis Needs Your Input

Our automated system analyzed this issue but couldn't determine with confidence if this is a regression bug.

A regression bug is when functionality that previously worked properly no longer works after a recent change.

If you believe this is a regression issue, please confirm below:

• Yes, confirm this is a regression issue

Note: Once confirmed, the issue will be labeled as regression.
After selecting the option, your choice will be automatically processed.

---

[penglongzhaochina]

Hi @b-gonzalez

Thank you for your question. document.cookie is a JS Api provide access to a web page's cookies. It has a limitation which is Cookies with HttpOnly attribute cannot be accessed by JavaScript. I think it out of scope of Office js.

[b-gonzalez]

Hi @penglongzhaochina

In the test route, the cookie sent from the route is not an HttpOnly cookie

const options:CookieSerializeOptions = {
    secure: false, //needs to be set to false to work correctly with Postman
    sameSite: "strict",
    maxAge: 60 * 60 * 24 * 30,
    path: '/',
  }

app.get('/test', function(req, res) {
  let token = "test_cookie"

  const serialized = serialize('test', token, options);
  res.setHeader('Set-Cookie', serialized);
  res.status(200).json({
    testSuccess: true,
  });
})

As you can see, the HttpOnly parameter is not set in options variable. So it should use the default value which should be false.

After calling the test route in Edge, Chrome, or Firefox, the cookie is visible in document.cookies. But when I call the same route from an office.js taskpane, the cookie is not visible in document.cookies in DevTools.

I can work around this issue. But I'm wondering if this is a bug that should be fixed.

[penglongzhaochina]

Thanks for reporting this issue.

It has been put on our backlog<Bug#10192984> for internal track. We will keep track of this issue and let you know if there are any updates.

[b-gonzalez]

Okay great. Thanks