Closed Bug 1687262 Opened 5 years ago Closed 4 years ago

Cross domain IFrame not able to access cookie from parent domain.

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Version:
Firefox 84
Platform:
x86_64
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: vinayakdewangan104, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0

Steps to reproduce:

Parent Website : www.localhost:8080, We have the login mechanism there we are storing User Details with Expiration time in session cookie. Any action checks for User Details from Session Cookie.

Cross Domain IFrame : www.localhost:8085, Here we have html and While performing any type of action, We check the parent domain session cookie for user details but getting parent cookie value as Undefined/Null.

Actual results:

Due to which we get logged out from parent website as we have session checks for user detils.

Note: This is working fine in Google Chrome (Version 87) and Mircosoft Edge (Version 87).

Expected results:

I should not get logged out. OR In otherwords parent domain cookie should able to access from cross domain IFrame.

Component: Untriaged → Session Restore
OS: Unspecified → Windows 10
Hardware: Unspecified → x86_64
Component: Session Restore → Security
Severity: -- → S2
Priority: -- → P2

(In reply to Vinayak from comment #0)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0

Steps to reproduce:

Parent Website : www.localhost:8080, We have login mechanism where we are storing User Details with Expiration time in session cookie. A User is validated agianst a Session Cookie before performing any action.

Cross Domain IFrame : www.localhost:8085, Here we have html and While performing any type of action, We check the parent domain session cookie for user details but getting parent cookie value as Undefined/Null.

Actual results:

Due to which we get logged out from parent website as we have session checks for user detils.

Note: This is working fine in Google Chrome (Version 87) and Mircosoft Edge (Version 87).

Expected results:

It should be able access parent domin session cookie from cross domian IFrame.

Why does this need to be hidden as a security issue? Lack of access to cookies fails closed, right? (ie actions will not be allowed when they should be allowed, rather than the other way around)

Can you provide a testcase?

Group: firefox-core-security → network-core-security
Component: Security → Networking: Cookies
Flags: needinfo?(vinayakdewangan104)
Product: Firefox → Core

I have wrongly put security as bug type, I will update.
Yes, Failed to access parent cookie.

Steps to reproduce:
Parent Website : www.localhost:8080, We have login mechanism where we are storing User Details with Expiration time in session cookie. A User is validated agianst a Session Cookie before performing any action.

Cross Domain IFrame : www.localhost:8085, Here we have html and While performing any type of action, We check the parent domain session cookie for user details but getting parent cookie value as Undefined/Null.

Flags: needinfo?(vinayakdewangan104)

(In reply to Vinayak from comment #3)

Steps to reproduce:

These aren't complete steps - can you link to a live testcase, or attach a zipfile or similar with a minimal case that reproduces the problem you're seeing?

Group: network-core-security
Severity: S2 → --
Priority: P2 → --

ni for the test case.

Flags: needinfo?(vinayakdewangan104)

Still waiting on reporter to provide testcase.

Blocks: cookie

No test case has been provided.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.