Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
<meta http-equiv=Set-Cookie> should do nothing if document is cookie averse #1950
In https://html.spec.whatwg.org/#table-http-equiv under Cookie setter, the algorithm should do nothing if the
In particular, the Cookie setter algorithm should be updated similar to our proposed change in w3c/webappsec-suborigins#56, from:
This was referenced
Oct 23, 2016
Given apparent usage, perhaps
Given https://www.chromestatus.com/metrics/feature/timeline/popularity/1549, I do intent to treat it as "inline script" for CSP's purposes if we don't decide that removing it entirely is a reasonable thing to do. To that end, it should probably also fail inside
I regret not noticing the request for clarification from @annevk earlier. It's been too long to be sure, but I think I wondered three things:
I think it's already clear that it should not work in a cookie-averse document, e.g. in html parsed by a scripts constructed document object.
I asked these in the context of cookie-averse documents because of the related suborigins proposal where suborigin documents are (IIRC) cookie-averse at the script level but HTTP-level Set-Cookie on their responses still works. Which policy should apply to the meta element?
Given that meta http-equiv=set-cookie can be dynamically constructed and inserted into the HEAD by script at any time (and modifies the cookie jar when added to the document), my intuition is that it should be restricted similarly to document.cookie in cases where scripting is allowed, but this leaves the question of whether to allow it when scripting is not allowed -- whether by UI setting, by iframe sandboxing, or partially disallowed by content security policy forbidding some or all inline scripts.
referenced this issue
Sep 27, 2017
referenced this issue
Apr 27, 2018
Yes. We're using CSP to block scripts but relied on this to set cookies in static pages. For the life of me, I can't understand why anyone thought the ability for a cookie to be set using simple HTML needed to be killed after all these years.