Closed
Bug 1420032
Opened 7 years ago
Closed 7 years ago
document.cookie DOM property can be clobbered using DOM node named cookie
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: saurabh.banawar, Unassigned)
Details
Attachments
(1 file)
|
40.41 KB,
image/png
|
Details |
Firefox DOM Clobbering.PNG
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Steps to reproduce:
Include the following HTML Code and observe:
<h3>Clobbering cookie</h3>
<script>
document.cookie="sa=1132";
document.write(document.cookie);
</script>
<br>
<br>
<form name="cookie"></form>
<br>
<br>
<script>document.write(document.cookie);</script>
Actual results:
The cookie gets clobbered.
Expected results:
The cookie should not be clobbered because the legitimate javascript gets confused and this hampers the functionality of web applications.
|
||
Comment 1•7 years ago
|
||
Safari, Chrome and Firefox all behave the same here, and this is publicly documented and specced ( https://html.spec.whatwg.org/multipage/dom.html#dom-document-namedItem-which , http://jibbering.com/faq/names/ , https://kangax.github.io/domlint/ etc. ). "Confusion" is also not really a security issue without further explanation, so I'm unhiding this issue.
It seems Edge doesn't overwrite document.cookie, or, for that matter, any other things like document.getElementById. I think that would be sensible, but I would imagine that you'd need to raise a spec issue - I don't see anything in the spec that determines how these conflicts are resolved (or not), but that's probably me not looking in the right place...
Group: firefox-core-security
Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
|
||
Comment 2•7 years ago
|
||
Hi Amy, is this at your wheelhouse that you could confirm the existing expected behavior?
Flags: needinfo?(amchung)
|
||
Comment 3•7 years ago
|
||
This is as speced, see https://heycam.github.io/webidl/#LegacyPlatformObjectGetOwnProperty and https://heycam.github.io/webidl/#dfn-named-property-visibility (HTMLDocument is marked OverrideBuiltins).
|
||
Comment 4•7 years ago
|
||
Overrides are confusing but this is by design so INVALID.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
|
|
||
Updated•7 years ago
|
Flags: needinfo?(amchung)
You need to log in
before you can comment on or make changes to this bug.
Description
•