Closed Bug 1951746 Opened 1 year ago Closed 1 year ago

CookieStore set: __Host- and __Secure- prefixes can be used in cookie's value with empty cookie name

Categories

(Core :: Networking: Cookies, defect, P2)

Firefox 136
defect

Tracking

()

VERIFIED FIXED
138 Branch
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox136 --- disabled
firefox137 --- disabled
firefox138 --- verified

People

(Reporter: sormus.uku, Assigned: edgul)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [necko-triaged][necko-priority-queue])

Attachments

(2 files)

Steps to reproduce:

  1. Go to https://example.com/
  2. Open devtools (F12), Console tab
  3. Execute the following JavaScript:
await cookieStore.set("", "__Host-XXX")
  1. Go to devtools Network tab, refresh the page and observe the Cookie header in Request Headers

Actual results:

The cookie is set and sent out:

Cookie: __Host-XXX

Expected results:

A cookie with empty name, and value with __Host- or __Secure- prefix should not have been set.

See similar security issue, impact etc. in issue reported in 2022 using Set-Cookie and document.domain:
https://bugzilla.mozilla.org/show_bug.cgi?id=1779993

For example, using the older API instead and executing document.cookie = "=__Host-YYY" is rightfully rejected:

Cookie “” has been rejected for invalid prefix.
Group: firefox-core-security → network-core-security
Component: Untriaged → Networking: Cookies
Product: Firefox → Core
See Also: → 1939563

Latest Firefox 136.0 on Ubuntu 22.04, 64-bit
"Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0"

See Also: → 1951750

See bug 1951750 comment 3 -- CookieStore is making up its own rules instead of using the shared routines. These features must always use the shared routines. Right or wrong, having different parts of the code with different rules will create bugs, and if the shared routines are wrong they can be fixed once without having to worry (or create security bugs out of blissful ignorance) that you missed updating a place that had to be kept in sync.

Flags: needinfo?(edgul)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-moderate
See Also: → CVE-2022-40958
Assignee: nobody → edgul
Severity: -- → S3
Flags: needinfo?(edgul)
Priority: -- → P2
Whiteboard: [necko-triaged][necko-priority-queue]
Pushed by eguloien@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b89b2848d9c0 Nameless cookies should not begin with special prefixes r=baku
Group: network-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 138 Branch

The patch landed in nightly and beta is affected.
:edgul, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox137 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(edgul)
Flags: needinfo?(edgul)

A patch has been attached on this bug, which was already closed. Filing a separate bug will ensure better tracking. If this was not by mistake and further action is needed, please alert the appropriate party. (Or: if the patch doesn't change behavior -- e.g. landing a test case, or fixing a typo -- then feel free to disregard this message)

Flags: qe-verify+
Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/0e0f298fd95c Add wpt for prefixed nameless cookies. r=valentin
Blocks: cookie-store
QA Whiteboard: [post-critsmash-triage]

Reproduced the initial issue described in comment 0 using an old Nightly build from 2025-03-03, verified that using latest Beta 138.0b2 (after enabling cookieStore) and latest Nightly 139.0a1 across platforms (Windows 11, macOS 13.7 and Ubuntu 22.04) there is no Cookie: __Host-XXX visible in Request header.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: