Direct IPv6 access: password cookie not set in Firefox and Edge

[delfer]

• code-server version: 1.1119-vsc1.33.1
• OS Version: Arch Linux Release: 2019.06.01 Kernel: 5.1.5

Description

IPv6 works when accessing by domain with AAAA record. When using IP in form http://[2022:1111:1111:1111:1111:1111:1111:1111]:8080/ - can not login.

Steps to Reproduce

1. Start server with ./code-server -h :: -p 8080 -H -P password
2. Start Firefox 67.0 or Microsoft Edge 18.17763
3. Enter address http://[2022:1111:1111:1111:1111:1111:1111:1111]:8080/ - replace with correct IPv6
4. Enter password and press Enter IDE
5. Cookie with password not set and you will be returned to /login/ page

Possible workarounds

1. Use Latest Chrome
2. Use domain name with AAAA record

[deansheather]

Tested in Chromium and Firefox. Chromium worked fine, but Firefox wouldn't store the password cookie. Seems like a Firefox bug (and possibly Edge as you mentioned), as the following works in Chrome but not Firefox:

document.cookie = 'password=2944f62c1c13329748338c80;path=/;domain=[::1]';

You can get this to work in Firefox by omitting the ;domain=[::1] part:

document.cookie = 'password=2944f62c1c13329748338c80;path=/';

We could fix this by omitting the domain part from the cookie in the login script, as the browser should default to the current domain, but I'm not sure if this is safe/encouraged.

[code-asher]

Fixed in v2.