Kagi Search: unable to login using EWW browser

geneg1

Trying to login to https://kagi.com/html/signin using the EWW browser from Emacs 29.4 results in a "403 Forbidden" error.

Response from Kagi support:

The team is able to reproduce this issue. It seems it is happening because cookies are not set properly
when using EWW browser.
Could you please submit a bug report in the forum so we can track and prioritize the issue?

Correct email/password combination should be accepted and I should be able to use Kagi Search from EWW.

pixel

geneg1
Thanks for making this.

I looked into it briefly (having never used eww before) and it does seem like no cookies are being saved.
In contrast with something like google where I can see cookies being stored.
Testing on a 'normal' browser like firefox, the _kagi_search_ cookie (which provides CSRF, which is the issue here) is being set correctly on the /html route.

I am not quite sure why this is happening, though, since I am not sure how to necessarily debug this application to view raw network requests and what not (to ensure that the Set-Cookie header is being received at the very least)

If you know how to do that or can provide some further debugging details that would be very helpful!

RoxyRoxyRoxy

CC @pixel

geneg1

Sure here is the HTTPS request:

POST /login HTTP/1.1
MIME-Version: 1.0
Connection: close
Host: kagi.com
Accept-encoding: gzip
Accept: text/html, text/plain, text/sgml, text/css, application/xhtml+xml, */*;q=0.01
User-Agent: URL/Emacs Emacs/29.4 (Mac; aarch64-apple-darwin23.6.0)
Referer: https://kagi.com/html/signin
Content-Type: application/x-www-form-urlencoded
Content-length: 147

_csrf=W72wAnILtCK95iRJ36TYwypwgtsd_JgVRIrq0dBKMv6KMQAVL9GzPsLuqWlFchDWTscOpmUjd-YnCR40_-0L0A%3D%3D&password=REDACTED&email=REDACTED

Note that both my email address and my password include an @ sign, which is URL encoded as %40 in the request above. Maybe that's what's causing problems?

Here are the response headers. Note that no Set-Cookie is attempted.

HTTP/1.1 403 Forbidden
content-type: text/html
x-guploader-uploadid: ABgVH8_EWht76CiQMOH_tpgakfKHNhhztdZXAir9Xn5R8mqTeY37o5KqDp0Z14MZiv3AF1Ty
date: Wed, 20 Aug 2025 04:09:49 GMT
cache-control: public, max-age=86400
expires: Thu, 21 Aug 2025 04:09:49 GMT
last-modified: Thu, 17 Jul 2025 18:39:20 GMT
x-goog-generation: 1752777560137262
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 2704
x-goog-hash: crc32c=4QI9QQ==
x-goog-hash: md5=7jw4z9RR+1Ha7K4SCd3oLw==
x-goog-storage-class: STANDARD
accept-ranges: bytes
vary: Origin, Accept-Encoding
server: UploadServer
via: 1.1 google
content-encoding: gzip
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Transfer-Encoding: chunked
Connection: close

geneg1

Just tried changing my password to exclude the ampersand and it didn't make a difference.

geneg1

When I try the same request in Safari it works fine:

:method: POST
:scheme: https
:authority: kagi.com
:path: /login
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
content-type: application/x-www-form-urlencoded
origin: https://kagi.com
sec-fetch-site: same-origin
sec-fetch-mode: navigate
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.6 Safari/605.1.15
referer: https://kagi.com/html/signin
sec-fetch-dest: document
content-length: 147
accept-language: en-CA,en-US;q=0.9,en;q=0.8
priority: u=0, i
accept-encoding: gzip, deflate, br
cookie: kagi_scssion=REDACTED
cookie: _kagi_search_=REDACTED

_csrf=mSP3wJlT-8Wp5Qy8aPocOCGGNJXYvb55202MJbT6_wxI2REg5Me9KRdKcw4gxL6bxkP4Df8yg4uRHoHzGTwvfA%3D%3D&email=REDACTED&password=REDACTED

Ah I see. Safari has a couple of session cookies set that EWW does not.

geneg1

Ok in Safari, when I GET kagi.com/html/signin, I see that a session cookie gets set:

:status: 200
x-request-id: dbf80822e947238de25dd60749d67f44
x-kagi-trace: dbf80822e947238de25dd60749d67f44
date: Wed, 20 Aug 2025 04:47:34 GMT
x-frame-options: SAMEORIGIN
content-security-policy: default-src 'none';base-uri 'none';connect-src 'self' https://speedtest.kagi-0e7.workers.dev https://kagi.com https://*.kagi.com/ https://*.kagicdn.com/ https://*.mapbox.com/ https://api.mapbox.com/ https://*.hereapi.com/ https://en.wikipedia.org/* https://*.apple-mapkit.com/ https://gsp10-ssl.ls.apple.com https://static.midomi.com https://*.googleapis.com https://*.gstatic.com https://tile.openstreetmap.org;font-src 'self' https://*.kagi.com/ https://*.kagicdn.com/ https://kagi.com https://fonts.gstatic.com data:; form-action 'self' https:;frame-src 'self' https://*.kagi.com/ https://www.paypal.com/  https://challenges.cloudflare.com; frame-ancestors 'none';img-src 'self'  https://*.apple-mapkit.com/ https://*.kagi.com/ https://*.kagicdn.com/ http://static.soundhound.com https://upload.wikimedia.org https://kagifeedback.org https://*.gstatic.com https://*.googleapis.com https://www.paypalobjects.com/ https://tile.openstreetmap.org data: blob:; media-src 'self' https://kagifeedback.org https://*.kagi.com/ https://*.kagicdn.com/; style-src 'self' https://*.kagi.com/ https://*.kagicdn.com/ https://static.midomi.com https://*.googleapis.com https://api.mapbox.com 'unsafe-inline' https://api.mapbox.com/; worker-src 'self' https://*.kagi.com/ blob:;child-src 'self' https://*.kagi.com/ blob:;manifest-src 'self';object-src 'none';
referrer-policy: same-origin
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
x-xss-protection: 1
permissions-policy: interest-cohort=()
cross-origin-opener-policy: same-origin
accept-ch: UA, UA-Mobile, Save-Data, RTT
onion-location: http://kagi2pv5bdcxxqla5itjzje2cgdccuwept5ub6patvmvn3qgmgjd6vid.onion/html/signin
content-type: text/html
content-encoding: gzip
content-length: 7947
set-cookie: _kagi_search_=REDACTED; domain=; path=/; expires=Sun, 07 May 2045 04:47:34 GMT; Secure; HttpOnly; SameSite=Lax
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

geneg1

And a request from EWW also triggers a Set-Cookie:

HTTP/1.1 200 OK
x-request-id: becd2bae1846f364256e34ba14489d7a
x-kagi-trace: becd2bae1846f364256e34ba14489d7a
date: Wed, 20 Aug 2025 04:51:48 GMT
X-Frame-Options: SAMEORIGIN
content-security-policy: default-src 'none';base-uri 'none';connect-src 'self' https://speedtest.kagi-0e7.workers.dev https://kagi.com https://*.kagi.com/ https://*.kagicdn.com/ https://*.mapbox.com/ https://api.mapbox.com/ https://*.hereapi.com/ https://en.wikipedia.org/* https://*.apple-mapkit.com/ https://gsp10-ssl.ls.apple.com https://static.midomi.com https://*.googleapis.com https://*.gstatic.com https://tile.openstreetmap.org;font-src 'self' https://*.kagi.com/ https://*.kagicdn.com/ https://kagi.com https://fonts.gstatic.com data:; form-action 'self' https:;frame-src 'self' https://*.kagi.com/ https://www.paypal.com/  https://challenges.cloudflare.com; frame-ancestors 'none';img-src 'self'  https://*.apple-mapkit.com/ https://*.kagi.com/ https://*.kagicdn.com/ http://static.soundhound.com https://upload.wikimedia.org https://kagifeedback.org https://*.gstatic.com https://*.googleapis.com https://www.paypalobjects.com/ https://tile.openstreetmap.org data: blob:; media-src 'self' https://kagifeedback.org https://*.kagi.com/ https://*.kagicdn.com/; style-src 'self' https://*.kagi.com/ https://*.kagicdn.com/ https://static.midomi.com https://*.googleapis.com https://api.mapbox.com 'unsafe-inline' https://api.mapbox.com/; worker-src 'self' https://*.kagi.com/ blob:;child-src 'self' https://*.kagi.com/ blob:;manifest-src 'self';object-src 'none';
referrer-policy: same-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
x-xss-protection: 1
permissions-policy: interest-cohort=()
cross-origin-opener-policy: same-origin
accept-ch: UA, UA-Mobile, Save-Data, RTT
onion-location: http://kagi2pv5bdcxxqla5itjzje2cgdccuwept5ub6patvmvn3qgmgjd6vid.onion/html/signin
content-type: text/html
content-encoding: gzip
set-cookie: _kagi_search_=REDACTED; domain=; path=/; expires=Sun, 07 May 2045 04:51:48 GMT; Secure; HttpOnly; SameSite=Lax
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Transfer-Encoding: chunked
Connection: close

```

geneg1

Ok I think I see what's going on. The kagi.com cookie specifies domain=; which is being interpreted by EWW as an empty domain, and the cookie never gets set. I'm not sure what the correct interpretation of an empty domain is, but anyway I can work around this at my end. Thanks for your willingness to help but I don't think any further action is required on this issue.

For posterity, here is the modified Emacs Lisp function to workaround this in EWW on Emacs 29.4:

(defun url-cookie-host-can-set-p (host domain)
  (cond
   ((string= host domain)	; Apparently netscape lets you do this
    t)
   ((zerop (length domain))   ; Need for kagi.com
    t)
   (t
    ;; Remove the dot from wildcard domains before matching.
    (when (eq ?. (aref domain 0))
      (setq domain (substring domain 1)))
    (and (url-domsuf-cookie-allowed-p domain)
         (string-suffix-p domain host 'ignore-case)))))

pixel

geneg1

Glad you figured it out!
Good to know that is how eww functions for the future.

We'll likely be changing that cookie being sent at some point in the near future anyway, at which point we'll set a proper domain just to have it like we do for our other ones.

unfancybear

It might be a good idea to open an emacs bug about this. Based on MDN I'd say empty domain= is the same as domain being unset viz. cookie applies to the current host.