scheming-cookies icon indicating copy to clipboard operation
scheming-cookies copied to clipboard

Published 20 hours ago verified publisher icon mikewest

Taking the port into account

Open randomstuff opened this issue 4 years ago • 1 comments

In this proposal, the port is (still) not taken into account.

In particular, this claim is somewhat wrong (emphasis mine):

cookies are given an internal scheme component […]

Cookies will be accessible only to the scheme which set them, matching in this respect the scope of other storage mechanisms available on the web.

Other storage mechanisms (eg. localStorage) are actually origin-bound and thus take the port into account.

For http: localhost applications, the ability to scope the cookies per origin might be important. Without this, the cookies of a http://127.0.0.1:4567 application can be exfiltrated by other local users by:

  1. spawning another localhost HTTP service such as http://127.0.0.1:4568;
  2. triggering a request to this page from the user.

Would it make sense to take the port into account as well? If this is not the case, this corner-case should probably be explained in the FAQ.

randomstuff avatar May 06 '21 08:05 randomstuff

The proposal I was looking for is Origin-Bound cookies.

randomstuff avatar May 06 '21 09:05 randomstuff