Restrict <meta http-equiv=set-cookie> #3011
Conversation
Tests: ..? Fixes #1950.
|
@mikewest how would I add the CSP inline script protection? Something like this perhaps:
|
|
I suspect @bsittler's suggestion was to add a check for https://html.spec.whatwg.org/#concept-n-script as well. I don't think it's expected that if you disable scripting you also disable set-cookie, although I suppose this is a bit of a mixed bag. |
|
Do CSP and meta http-equiv=set-cookie ever actually co-occur in the wild outside of test suites? If not, perhaps presence of CSP could prevent the element's cookie-setting behavior entirely |
|
(I meant: mere presence of the content-security-policy header or meta element; however that would still, in the meta-supplied-csp case, give document authors a chance to set cookies this way prior to the CSP-supplying element) |
|
I'm not sure, but https://www.chromestatus.com/metrics/feature/timeline/popularity/1549 is nonzero and that is about a subset. We should probably also consider sandboxing restricting this as you suggested, though I'm not sure if I want to tightly couple all those changes. |
|
I would enjoy getting rid of I think it's conceptually tied to |
|
It sounds like we should maybe make the change I proposed here first and then file a follow-up if anyone is interested in further restrictions. |
|
SGTM! :) |
domenic
added
the
needs tests
|
FWIW, I looked into tests a bit, but there appear to be none for this feature and existing cookie tests weren't super clear either... I wonder if @bsittler has looked into improving that for his cookie work? |
|
@mikewest could you get a sense whether the documents you saw using this were "old" or created more recently? Was it on documents that were trying to be "no-scripty", or do you think it was just folks who didn't have the control of Set-Cookie headers on their server? I'd be fine killing this in script-disabled contexts, or treating it like inline-script for CSP purposes. If you want to kill it more generally (which I'm OK with) perhaps it should be part of a re-examination of the entire mechanism. Does it really make sense to allow content to set arbitrary headers? Maybe we should enumerate the ones we have to support for historical reasons and disallow the rest. |
|
@dveditz if by content you mean HTML, |
|
@dveditz: The usage graph is spikey https://www.chromestatus.com/metrics/feature/timeline/popularity/1547. I suspect that's because Cloudflare uses it on their gateway error page (e.g. http://www.xuebang.com.cn/ contains |
|
Spot-checking HTTP Archive, I'm going to try to deprecate this in Chrome. Cloudflare seems to account for a substantial amount of usage, and they seem amenable to dropping it from their error pages. If they drop it, and the usage numbers go down accordingly, I'll try for removal. Intent to Deprecate at https://groups.google.com/a/chromium.org/d/msg/blink-dev/0sJ8GUJO0Dw/iMmcXLIGBAAJ |
|
@annevk: Should we repurpose #1950 for general deprecation/removal of |
|
I filed #3076 for you, seems a little cleaner. |
`<meta http-equiv="set-cookie" ...>` is an attack vector, and doesn't seem to be used widely enough to justify keeping it in the platform. This patch contains a tentative test for removing that functionality, as discussed in whatwg/html#3076. Chrome has approved an [intent to deprecate][1], and [Edge][2] and [Firefox][3] have both expressed support. [1]: https://groups.google.com/a/chromium.org/d/msg/blink-dev/0sJ8GUJO0Dw/iMmcXLIGBAAJ [2]: https://twitter.com/patrickkettner/status/911282308337983489 [3]: whatwg/html#3011 (comment)
|
@annevk i do have some coverage for |
|
Actually it looks to me like @mikewest already added the needed test: https://github.com/w3c/web-platform-tests/blob/master/cookies/meta-blocked.html |
Tests: cookies/meta-blocked.html in web-platform-tests. Closes whatwg#1950, closes whatwg#3011, and fixes whatwg#3076.
Tests: ..?
Fixes #1950.