Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upInvestigate first party cookies, cookie prefix, and insecure modification of secure cookies #8700
Comments
|
Does this subsume #7962 ? |
|
Unclear! It's good to link them together as you have, however. |
|
I managed to find the cookie prefixes draft to be incorrect in its implementation details. The draft says the following:
The cookie's path at this point is never empty, since the original RFC6265 section 5.3 step 7 always sets the cookie path to a default value. |
|
Let me clarify why the observation above is important - the draft says that these cookies should always be rejected:
Note that the first 3 do not specify a Path attribute. This following cookie is accepted, however:
Now, the 2nd rejected cookie above and this accepted cookie differs in only one aspect - the existence of the Path attribute. Since RFC6265 defines a step that always sets the Path attribute to a default value, this would cause the rejected cookie to be accepted, if we were to follow the draft proposal in verbatim. |
Implement secure and host cookie prefixes Part of #8700. I modified the algorithm so that it accurately checks for the presence of the `Path` attribute of the cookie, before checking whether it has a value of `/`. <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/19185) <!-- Reviewable:end -->
Implement secure and host cookie prefixes Part of #8700. I modified the algorithm so that it accurately checks for the presence of the `Path` attribute of the cookie, before checking whether it has a value of `/`. <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/19185) <!-- Reviewable:end -->
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/2PK3q_VE1rg