CookieStore set: __Host- and __Secure- prefixes can be used in cookie's value with empty cookie name
Categories
(Core :: Networking: Cookies, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox136 | --- | disabled |
| firefox137 | --- | disabled |
| firefox138 | --- | verified |
People
(Reporter: sormus.uku, Assigned: edgul)
References
(Blocks 1 open bug)
Details
(Keywords: reporter-external, sec-moderate, Whiteboard: [necko-triaged][necko-priority-queue])
Attachments
(2 files)
Steps to reproduce:
- Go to https://example.com/
- Open devtools (F12), Console tab
- Execute the following JavaScript:
await cookieStore.set("", "__Host-XXX")
- Go to devtools Network tab, refresh the page and observe the Cookie header in Request Headers
Actual results:
The cookie is set and sent out:
Cookie: __Host-XXX
Expected results:
A cookie with empty name, and value with __Host- or __Secure- prefix should not have been set.
See similar security issue, impact etc. in issue reported in 2022 using Set-Cookie and document.domain:
https://bugzilla.mozilla.org/show_bug.cgi?id=1779993
For example, using the older API instead and executing document.cookie = "=__Host-YYY" is rightfully rejected:
Cookie “” has been rejected for invalid prefix.
Updated•1 year ago
|
| Reporter | ||
Comment 1•1 year ago
|
||
Latest Firefox 136.0 on Ubuntu 22.04, 64-bit
"Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0"
Updated•1 year ago
|
Comment 2•1 year ago
|
||
See bug 1951750 comment 3 -- CookieStore is making up its own rules instead of using the shared routines. These features must always use the shared routines. Right or wrong, having different parts of the code with different rules will create bugs, and if the shared routines are wrong they can be fixed once without having to worry (or create security bugs out of blissful ignorance) that you missed updating a place that had to be kept in sync.
Updated•1 year ago
|
Comment 5•1 year ago
|
||
Updated•1 year ago
|
Comment 6•1 year ago
|
||
The patch landed in nightly and beta is affected.
:edgul, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox137towontfix.
For more information, please visit BugBot documentation.
Updated•1 year ago
|
Comment 8•1 year ago
|
||
A patch has been attached on this bug, which was already closed. Filing a separate bug will ensure better tracking. If this was not by mistake and further action is needed, please alert the appropriate party. (Or: if the patch doesn't change behavior -- e.g. landing a test case, or fixing a typo -- then feel free to disregard this message)
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Comment 10•1 year ago
|
||
Updated•1 year ago
|
Reproduced the initial issue described in comment 0 using an old Nightly build from 2025-03-03, verified that using latest Beta 138.0b2 (after enabling cookieStore) and latest Nightly 139.0a1 across platforms (Windows 11, macOS 13.7 and Ubuntu 22.04) there is no Cookie: __Host-XXX visible in Request header.
Updated•10 months ago
|
Description
•