Brave overwrites the expiration day of long-living cookies, that were set from JavaScript

Description of the issue:

On a static website the only way to set cookies is with JavaScript. It seems, when I want to create a ticket that should not expire in the near future (e.g.: 1 year) the browser sets it to only 7 days.
On my website I have this mandatory GDPR popup accept/decline state saved into cookie, but it keeps pop up every week.

Steps to Reproduce (add as many as necessary): 1. 2. 3.

Open the dev tools console on any website. Create a 1 year cookie with the following code:

let days = 365;
let date = new Date;
date.setTime(date.getTime() + 24 * days * 60 * 60 * 1e3);
document.cookie = 'test=xxxxx;expires='+date.toUTCString()+';path=/;SameSite=Lax;secure';

Actual Result (gifs and screenshots are welcome!):

The cookie expires 7 days from now: https://i.postimg.cc/BQZ0Bt7J/expire.png

Expected result:

The new cookie should expire 365 days from now.

Reproduces how often:

Every time.

Operating System and Brave Version(See the About Brave page in the main menu):

  • OS: macOS Catalina 10.15.2 (but experienced also on Windows 10)
  • Brave: Version 1.2.43 Chromium: 79.0.3945.130 (Official Build) (64-bit)

Additional Information:
This issue happens only in Brave and Safari browsers. In Chrome, FF, Opera and Edge it works as expected.

There are more and more static websites on the market, and the GDPR Consent is mandatory within the European Union. These websites can only store such decision in cookies. But bothering users too often is not a good practice. Please provide a fix or a solution how to create long term, non-tracking cookies from JavaScript.

Related: https://github.com/brave/brave-browser/issues/3443

2 Likes

Thank you @fanboynz :slight_smile: I tried to find a related topic, but I forget to check on GitHub.

I already rewrote my code to “renew” these privacy cookies if they are exist. This way I can keep them there for regular visitors.

1 Like

This is deliberate. Brave prioritizes technically blocking tracking over relying on websites to behave.

I guess my big question about this particular scenario is — if you have a static website, what data collection are you asking people to consent to, and why/how is that conditioned on a cookie?

3 Likes

Yes I have a static website (generated by Jekyll), but I also allow the visitors to leave comments under the posts. For this I use the commento.io JavaScript library. And since it’s a third party tool, which uses cookies, and maybe tracking cookies too, I’d like to ask the visitors if they allow this or not. And I want to save their decision somewhere longer than 7 days. But I rewrote it to use the localStorage instead of Cookies.