Closed Bug 1420032 Opened 3 years ago Closed 3 years ago

document.cookie DOM property can be clobbered using DOM node named cookie

Categories

(Core :: DOM: Core & HTML, defect)

56 Branch
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: saurabh.banawar, Unassigned)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce:

Include the following HTML Code and observe:

<h3>Clobbering cookie</h3>
<script>
document.cookie="sa=1132";
document.write(document.cookie);
</script>
<br>
<br>
<form name="cookie"></form>
<br>
<br>
<script>document.write(document.cookie);</script>


Actual results:

The cookie gets clobbered.


Expected results:

The cookie should not be clobbered because the legitimate javascript gets confused and this hampers the functionality of web applications.
Safari, Chrome and Firefox all behave the same here, and this is publicly documented and specced ( https://html.spec.whatwg.org/multipage/dom.html#dom-document-namedItem-which , http://jibbering.com/faq/names/ , https://kangax.github.io/domlint/ etc. ). "Confusion" is also not really a security issue without further explanation, so I'm unhiding this issue.

It seems Edge doesn't overwrite document.cookie, or, for that matter, any other things like document.getElementById. I think that would be sensible, but I would imagine that you'd need to raise a spec issue - I don't see anything in the spec that determines how these conflicts are resolved (or not), but that's probably me not looking in the right place...
Group: firefox-core-security
Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
Hi Amy, is this at your wheelhouse that you could confirm the existing expected behavior?
Flags: needinfo?(amchung)
Overrides are confusing but this is by design so INVALID.
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
Flags: needinfo?(amchung)
You need to log in before you can comment on or make changes to this bug.