You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Section-4.1.2.5 states "An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity".
This warning appears to be out of date since Leave Secure Cookies Alone updated the spec to disallow insecure origins (schemes) from overwriting Secure cookies set by secure origins.
If there is in fact some other mechanism in which an insecure origin can overwrite a Secure cookie set by a secure origin then section 8.6 should be updated to list it (ignoring any origins which the UA might consider trustworthy, such as localhost).
The text was updated successfully, but these errors were encountered:
Another section that could be updated to make this more clear is the The "__Secure-" Prefix section. Currently it makes no mention of cookies needing to be set from a secure origin like the The "__Host-" Prefix section does.
If there is in fact some other mechanism in which an insecure origin can overwrite a Secure cookie set by a secure origin then section 8.6 should be updated to list it (ignoring any origins which the UA might consider trustworthy, such as localhost).
If there is one, that seems like a bug to be fixed :). I think you're right that the spec is just out of sync.
Section-4.1.2.5 states "An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity".
This warning appears to be out of date since Leave Secure Cookies Alone updated the spec to disallow insecure origins (schemes) from overwriting Secure cookies set by secure origins.
If there is in fact some other mechanism in which an insecure origin can overwrite a Secure cookie set by a secure origin then section 8.6 should be updated to list it (ignoring any origins which the UA might consider trustworthy, such as localhost).
The text was updated successfully, but these errors were encountered: