Closed Bug 301055 Opened 19 years ago Closed 19 years ago

its possible to set cookies scoped to .co.uk domain and read at other .co.uk sites

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 252342

People

(Reporter: liquidlaughter2000.will, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5

www.fictitious-site.co.uk is able to set a cookie scoped to the domain '.co.uk',
which is then sent in a request to view www.another-fictitious-site.co.uk, or
indeed any other .co.uk site.

This may also apply to other domains other than .co.uk - other domains have not
been tested.

Reproducible: Always

Steps to Reproduce:
1. visit http://www.garytomlinson.co.uk/cookies/
2. enter a cookie name and a cookie value, click submit
3. click the resulting link or go to http://www.focusforsale.pwp.blueyonder.co.uk/
Actual Results:  
The cookie you created on the first .co.uk site is accessible to the second.

Expected Results:  
Cookies should not be able to be set for the .co.uk domain. 3 periods are
required in domains except for limited few (.com, .net etc).

*** This bug has been marked as a duplicate of 252342 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Group: security
You need to log in before you can comment on or make changes to this bug.