Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC6265bis: The Secure Attribute section may be incorrectly warning that a secure cookie can be overwritten by an insecure origin #1627

Closed
sbingler opened this issue Aug 31, 2021 · 4 comments
Closed

RFC6265bis: The Secure Attribute section may be incorrectly warning that a secure cookie can be overwritten by an insecure origin #1627

sbingler opened this issue Aug 31, 2021 · 4 comments
Assignees
@miketaylr
Labels
6265bis

Comments

@sbingler
Copy link
Collaborator

Section-4.1.2.5 states "An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity".

This warning appears to be out of date since Leave Secure Cookies Alone updated the spec to disallow insecure origins (schemes) from overwriting Secure cookies set by secure origins.

If there is in fact some other mechanism in which an insecure origin can overwrite a Secure cookie set by a secure origin then section 8.6 should be updated to list it (ignoring any origins which the UA might consider trustworthy, such as localhost).
@recvfrom
Copy link
Contributor

recvfrom commented Sep 1, 2021

Another section that could be updated to make this more clear is the The "__Secure-" Prefix section. Currently it makes no mention of cookies needing to be set from a secure origin like the The "__Host-" Prefix section does.

@miketaylr
Copy link
Collaborator

miketaylr commented Sep 2, 2021
edited

If there is in fact some other mechanism in which an insecure origin can overwrite a Secure cookie set by a secure origin then section 8.6 should be updated to list it (ignoring any origins which the UA might consider trustworthy, such as localhost).

If there is one, that seems like a bug to be fixed :). I think you're right that the spec is just out of sync.

@miketaylr miketaylr self-assigned this Sep 10, 2021
miketaylr added a commit to miketaylr/http-extensions that referenced this issue Sep 10, 2021
@miketaylr
Issue httpwg#1627 - Remove outdated comment related to overwriting Se…
8ba73e5 
…cure cookies from insecure channels

This is no longer the case since draft 01.

Also, small editorial tweak to __Secure- example.
@sbingler
Copy link
Collaborator Author

If there is one, that seems like a bug to be fixed
Indeed! I added that as an invitation for someone to add any techniques I'm unaware of.

mikewest pushed a commit that referenced this issue Sep 14, 2021
@miketaylr
Issue #1627 - Remove outdated comment related to overwriting Secure c…
bc36afd 
…ookies from insecure channels (#1664)

This is no longer the case since draft 01.

Also, small editorial tweak to __Secure- example.
@sbingler
Copy link
Collaborator Author

This is fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@miketaylr miketaylr

Labels
6265bis
Milestone
No milestone
Development

No branches or pull requests
3 participants
@miketaylr @sbingler @recvfrom