YOURLS icon indicating copy to clipboard operation
YOURLS copied to clipboard

Published 20 hours ago • verified publisher icon YOURLS

Enhance cookies with prefixes ?

Open ozh opened this issue 4 years ago • 2 comments

As of writing, Firefox and Chrome support "cookie prefixes". Investigate this.

The __Secure- prefix makes a cookie accessible from HTTPS sites only. A HTTP site can not read or update a cookie if the name starts with __Secure-. This protects against the attack we earlier described, where an attacker uses a forged insecure site to overwrite a secure cookie.

The __Host- prefix does the same as the __Secure- prefix and more. A __Host--prefixed cookie is only accessible by the same domain it is set on. This means that a subdomain can no longer overwrite the cookie value.

References:

  • https://www.sjoerdlangkemper.nl/2017/02/09/cookie-prefixes/
  • https://googlechrome.github.io/samples/cookie-prefixes/

ozh avatar Nov 04 '20 20:11 ozh

I'd be concerned about user-agents that don't support the feature and accept any cookie's prefixed name regardless of whether it meets the conditions that prefix is meant to assert.

dgw avatar Nov 05 '20 00:11 dgw

For the record : https://caniuse.com/mdn-http_headers_set-cookie_cookie_prefixes

This should make a plugin, I'll give it a go.

ozh avatar Mar 23 '22 22:03 ozh