Investigate first party cookies, cookie prefix, and insecure modification of secure cookies #8700

jdm · 2015-11-27T17:13:36Z

https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/2PK3q_VE1rg

DemiMarie · 2015-12-01T07:20:00Z

Does this subsume #7962 ?

jdm · 2015-12-01T15:56:27Z

Unclear! It's good to link them together as you have, however.

jdm · 2017-02-03T22:27:39Z

#14445 and #14491 should have implemented the "leave secure cookies alone" specification.

KiChjang · 2017-11-11T22:35:40Z

I managed to find the cookie prefixes draft to be incorrect in its implementation details. The draft says the following:

After step 10 of the current algorithm, the cookies flags are set.
Insert the following steps to perform the prefix checks this document
specifies:
[...]
2. If the "cookie-name" begins with the string "$Host-", abort these
steps and ignore the cookie entirely unless the following
conditions are true:
* The cookie's "host-only-flag" is "true"
* The cookie's "path" is "/"

The cookie's path at this point is never empty, since the original RFC6265 section 5.3 step 7 always sets the cookie path to a default value.

KiChjang · 2017-11-15T21:27:05Z

Let me clarify why the observation above is important - the draft says that these cookies should always be rejected:

   Set-Cookie: $Host-SID=12345
   Set-Cookie: $Host-SID=12345; Secure
   Set-Cookie: $Host-SID=12345; Domain=example.com
   Set-Cookie: $Host-SID=12345; Domain=example.com; Path=/
   Set-Cookie: $Host-SID=12345; Secure; Domain=example.com; Path=/

Note that the first 3 do not specify a Path attribute. This following cookie is accepted, however:

   Set-Cookie: $Host-SID=12345; Secure; Path=/

Now, the 2nd rejected cookie above and this accepted cookie differs in only one aspect - the existence of the Path attribute. Since RFC6265 defines a step that always sets the Path attribute to a default value, this would cause the rejected cookie to be accepted, if we were to follow the draft proposal in verbatim.


        Auto merge of #19185 - KiChjang:cookie-prefixes, r=avadacatavra

Implement secure and host cookie prefixes Part of #8700. I modified the algorithm so that it accurately checks for the presence of the `Path` attribute of the cookie, before checking whether it has a value of `/`.  --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/19185)


        Auto merge of #19185 - KiChjang:cookie-prefixes, r=avadacatavra

Implement secure and host cookie prefixes Part of #8700. I modified the algorithm so that it accurately checks for the presence of the `Path` attribute of the cookie, before checking whether it has a value of `/`.  --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/19185)

jdm added A-network A-security labels Nov 27, 2015

KiChjang mentioned this issue Nov 11, 2017

Implement secure and host cookie prefixes #19185

Merged

servo / servo

Investigate first party cookies, cookie prefix, and insecure modification of secure cookies #8700

Investigate first party cookies, cookie prefix, and insecure modification of secure cookies #8700

jdm commented Nov 27, 2015 •

edited by KiChjang

DemiMarie commented Dec 1, 2015

jdm commented Dec 1, 2015

jdm commented Feb 3, 2017

KiChjang commented Nov 11, 2017

KiChjang commented Nov 15, 2017

servo / servo

Join GitHub today

Investigate first party cookies, cookie prefix, and insecure modification of secure cookies #8700

Investigate first party cookies, cookie prefix, and insecure modification of secure cookies #8700

Comments

jdm commented Nov 27, 2015 • edited by KiChjang

DemiMarie commented Dec 1, 2015

jdm commented Dec 1, 2015

jdm commented Feb 3, 2017

KiChjang commented Nov 11, 2017

KiChjang commented Nov 15, 2017

jdm commented Nov 27, 2015 •

edited by KiChjang