http-extensions icon indicating copy to clipboard operation
http-extensions copied to clipboard

Published 20 hours ago verified publisher icon httpwg

RFC6265bis: Prevent nameless cookies with prefixed values

Open sbingler opened this issue 3 years ago • 2 comments

Modify the cookie storage algorithm to reject cookies that:

  • Do not have a name
  • Have values that look like cookie prefixes

As mentioned in #2229, malicious servers can exploit nameless cookies to impersonate prefix'd cookies.

sbingler avatar Sep 21 '22 22:09 sbingler

Do we have tests for this behavior in WPT?

Good question, no not yet. I'll add some.

sbingler avatar Sep 27 '22 20:09 sbingler

Done

sbingler avatar Oct 05 '22 21:10 sbingler

Ping @mikewest

sbingler avatar Oct 17 '22 18:10 sbingler