server sets domain cookie beyond authority

RESOLVED DUPLICATE of bug 8743

Status

()

Core
Networking: Cookies
RESOLVED DUPLICATE of bug 8743
16 years ago
16 years ago

People

(Reporter: Chris Josephes, Assigned: Stephen P. Morse)

Tracking

Trunk
x86
Windows ME
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

16 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:0.9.6) Gecko/20011120
BuildID:    2001112009

The website www.ci.minneapolis.mn.us sets 2 cookies, one for 
host www.ci.minneapolis.mn.us, and one for domain minneapolis.mn.us.

But anyone can obtain a valid subdomain of minneapolis.mn.us, so any 
web server in a subdomain of that domain could see the value of the
minneapolis.mn.us cookie.


Reproducible: Always
Steps to Reproduce:
1. Visit http://www.ci.minneapolis.mn.us
2. Check your Cookie Manager
3.

Expected Results:  Mozilla should probably not accept cookies set to a 3rd level
subdomain of the .us domain hierarchy.
(Assignee)

Comment 1

16 years ago
That's an old problem and is unsolvable.

*** This bug has been marked as a duplicate of 8743 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.