Closed Bug 1903110 Opened 1 year ago Closed 1 year ago

cookie with empty name and value should be rejected

Categories

(Core :: Networking: Cookies, defect, P2)

Product:
Core
Component:
Networking: Cookies
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
firefox129 --- fixed

People

(Reporter: dveditz, Assigned: baku)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged][necko-priority-next])

Attachments

(2 files)

Bug 1903110 - cookie with empty name and value should be rejected, r=timhuang
48 bytes, text/x-phabricator-request
Details | Review
2024-07-26_13h16_48.png
263.13 KB, image/png
Details

The cookie spec says we should reject cookies that don't have a name and don't have a value (step 2 of §5.6 https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-14#section-5.6-3.2.1). The parsing algorithm in §5.5 can lead to an empty name and value (https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-14#name-the-set-cookie-header-field) but the later step is supposed to prevent that.

test:

  1. open the dev tools console
  2. execute document.cookie = " ; path=/; secure"
  3. check storage in dev tools

When we construct the cookie string we correctly filter it out -- it doesn't show up in document.cookie or in the Cookie: header. But it's there in storage.

Summary: nameless+valueless cookies should be rejected → cookie with empty name and value should be rejected
Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged][necko-priority-next]

Pretty sure fixing this will resolve the WPTs in cookies/attributes/invalid.html:

  • "Ignore name- and value-less Set-Cookie: ; bar"
  • "Ignore Set-Cookie: = with other Set-Cookie headers"
Blocks: 1903405
Assignee: nobody → amarchesini
Attachment #9408866 - Attachment description: Bug 1903110 - cookie with empty name and value should be rejected, r?timhuang → Bug 1903110 - cookie with empty name and value should be rejected, r=timhuang
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f858a19b6239 cookie with empty name and value should be rejected, r=timhuang,cookie-reviewers
Regressions: 1904073

Backed out for causing bc failures in browser_cookie_insecure_overwrites_secure.js

  • Backout link
  • Push with failures
  • Failure Log
  • Failure line: TEST-UNEXPECTED-FAIL | netwerk/cookie/test/browser/browser_cookie_insecure_overwrites_secure.js | A promise chain failed to handle a rejection: Actor 'SpecialPowers' destroyed before query 'Spawn' was resolved - stack: ensureDOMPromiseRejectionsProcessed@resource://testing-common/PromiseTestUtils.sys.mjs:115:17
Flags: needinfo?(amarchesini)
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e774888e3229 cookie with empty name and value should be rejected, r=timhuang,cookie-reviewers

https://hg.mozilla.org/mozilla-central/rev/e774888e3229

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox129: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch
Flags: needinfo?(amarchesini)
Flags: qe-verify+

Hi Andreea,
Before the fix (Win11x64 and FF 129.0a1 (20240617214416)) the cookie with empty name was displayed in storage, but after the fix (Win11x64 and FF 129.0b8) the cookie is displayed again in storage but this time with name, is this the expected outcome? Thank you.

Flags: needinfo?(amarchesini)

Can you provide a STR? Thanks!

Flags: needinfo?(amarchesini)

I followed the steps from description:

  1. opened link https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-14#section-5.6-3.2.1
  2. open the dev tools console
  3. execute document.cookie = " ; path=/; secure"
  4. check storage in dev tools
    Actual result: On 129.0a1 I have an entry with no name under storage (before fix) and on 129.0b9 I have an entry with name under storage (after fix). Is this expected?
Flags: needinfo?(amarchesini)

The two things seem unrelated. The cf_clearance cookie is there but it's not shown by the dev-tools.
:edgul, do you know how can help here? In the log I see this:

Parent 402759: Main Thread]: D/cookie ===== COOKIE ACCEPTED =====
[Parent 402759: Main Thread]: D/cookie request URL: https://datatracker.ietf.org/cdn-cgi/challenge-platform/h/b/jsd/r/8abdcd2dcca85a1f
[Parent 402759: Main Thread]: D/cookie cookie string: cf_clearance=; Path=/; Expires=Thu, 01-Jan-70 00:00:00 GMT; Domain=.ietf.org; HttpOnly; Secure; SameSite=None
cf_clearance=XXX; Path=/; Expires=Thu, 31-Jul-25 13:05:44 GMT; Domain=.ietf.org; HttpOnly; Secure; SameSite=None; Partitioned
[Parent 402759: Main Thread]: D/cookie replaces existing cookie: false
[Parent 402759: Main Thread]: D/cookie current time: Wed Jul 31 13:05:44 2024 GMT
[Parent 402759: Main Thread]: D/cookie ----------------
[Parent 402759: Main Thread]: D/cookie name: cf_clearance
[Parent 402759: Main Thread]: D/cookie value: XXX
[Parent 402759: Main Thread]: D/cookie domain: .ietf.org
[Parent 402759: Main Thread]: D/cookie path: /
[Parent 402759: Main Thread]: D/cookie expires: Thu Jul 31 13:05:44 2025 GMT
[Parent 402759: Main Thread]: D/cookie created: Wed Jul 31 13:05:44 2024 GMT
[Parent 402759: Main Thread]: D/cookie is secure: true
[Parent 402759: Main Thread]: D/cookie is httpOnly: true
Flags: needinfo?(amarchesini) → needinfo?(edgul)

This is a known bug; cookies with Partitioned attribute are not showing in devtools. We believe this will be addressed by Bug 1895215

Flags: needinfo?(edgul)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: