Enhance cookies with prefixes ? #2785

ozh · 2020-11-04T20:37:05Z

As of writing, Firefox and Chrome support "cookie prefixes". Investigate this.

The __Secure- prefix makes a cookie accessible from HTTPS sites only. A HTTP site can not read or update a cookie if the name starts with __Secure-. This protects against the attack we earlier described, where an attacker uses a forged insecure site to overwrite a secure cookie.

The __Host- prefix does the same as the __Secure- prefix and more. A __Host--prefixed cookie is only accessible by the same domain it is set on. This means that a subdomain can no longer overwrite the cookie value.

References:

The text was updated successfully, but these errors were encountered:

dgw · 2020-11-05T00:23:59Z

I'd be concerned about user-agents that don't support the feature and accept any cookie's prefixed name regardless of whether it meets the conditions that prefix is meant to assert.

ozh · 2022-03-23T22:32:26Z

For the record : https://caniuse.com/mdn-http_headers_set-cookie_cookie_prefixes

This should make a plugin, I'll give it a go.

ozh added enhancement New feature or request security labels Nov 4, 2020

ozh added the plugin This is an idea for a plugin. Anyone interested in making it? label Mar 23, 2022

ozh self-assigned this Mar 23, 2022

Enhance cookies with prefixes ? #2785

Enhance cookies with prefixes ? #2785

ozh commented Nov 4, 2020

dgw commented Nov 5, 2020

ozh commented Mar 23, 2022

Enhance cookies with prefixes ? #2785

Enhance cookies with prefixes ? #2785

Comments

ozh commented Nov 4, 2020

dgw commented Nov 5, 2020

ozh commented Mar 23, 2022