Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance cookies with prefixes ? #2785

Open
ozh opened this issue Nov 4, 2020 · 2 comments
Open

Enhance cookies with prefixes ? #2785

ozh opened this issue Nov 4, 2020 · 2 comments
Assignees
Labels
enhancement New feature or request plugin This is an idea for a plugin. Anyone interested in making it? security

Comments

@ozh
Copy link
Member

ozh commented Nov 4, 2020

As of writing, Firefox and Chrome support "cookie prefixes". Investigate this.

The __Secure- prefix makes a cookie accessible from HTTPS sites only. A HTTP site can not read or update a cookie if the name starts with __Secure-. This protects against the attack we earlier described, where an attacker uses a forged insecure site to overwrite a secure cookie.

The __Host- prefix does the same as the __Secure- prefix and more. A __Host--prefixed cookie is only accessible by the same domain it is set on. This means that a subdomain can no longer overwrite the cookie value.

References:

@ozh ozh added enhancement New feature or request security labels Nov 4, 2020
@dgw
Copy link
Member

dgw commented Nov 5, 2020

I'd be concerned about user-agents that don't support the feature and accept any cookie's prefixed name regardless of whether it meets the conditions that prefix is meant to assert.

@ozh ozh added the plugin This is an idea for a plugin. Anyone interested in making it? label Mar 23, 2022
@ozh ozh self-assigned this Mar 23, 2022
@ozh
Copy link
Member Author

ozh commented Mar 23, 2022

For the record : https://caniuse.com/mdn-http_headers_set-cookie_cookie_prefixes

This should make a plugin, I'll give it a go.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request plugin This is an idea for a plugin. Anyone interested in making it? security
Projects
None yet
Development

No branches or pull requests

2 participants