Thanks for clarifying Marco. Not sure if clarification is needed here, but essentially the child process that will be responsible for blocking the cookie-set will need to somehow know the cookie exists (but for a privileged origin) in the jar. But the security concern with Option A is that if the child process is ever compromised, then that process will have easier access to potentially other origin and other process cookies. Also, > Which further begs the question: Can we even adequately address this bug without this? My comment above is a bit confused, I will modify it. But [the bug in question](https://bugzilla.mozilla.org/show_bug.cgi?id=1788109) is still relevant. If it is fixed, then Option A or B for this bug seem like something we definitely should NOT do, but it may provide a more secure alternative. Hoping security team can shed some light here.
Bug 1783536 Comment 16 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Thanks for clarifying Marco. Not sure if clarification is needed here, but essentially the child process that will be responsible for blocking the cookie-set will need to somehow know the cookie exists (but for a privileged origin) in the jar. But the security concern with Option A is that if the child process is ever compromised, then that process will have easier access to potentially other origin and other process cookies. Also, > Which further begs the question: Can we even adequately address this bug without this? My comment above is a bit confused, I will modify it. But [the bug in question](https://bugzilla.mozilla.org/show_bug.cgi?id=1788109) is still relevant. If it is fixed, then Option A or B for this bug seem like something we definitely should NOT do, but it may provide a more secure alternative. Hoping security team can shed some light here.
Thanks for clarifying Marco. Not sure if clarification is needed here, but essentially the child process that will be responsible for blocking the cookie-set will need to somehow know the cookie exists (but for a privileged origin) in the jar. But the security concern with Option A is that if the child process is ever compromised, then that process will have easier access to potentially other origin and other process cookies. Also, > Which further begs the question: Can we even adequately address this bug without this? My comment above is a bit confused, I will modify it. But [the bug in question](https://bugzilla.mozilla.org/show_bug.cgi?id=1788109) is still relevant. If it is fixed, then Option A or B for this bug seem like something we definitely should NOT do, but by then another alternative may become available. Hoping security team can shed some light here.