User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910
I recently discovered there's a quite old patch from Microsoft for Internet
Explorer which blocks cookies coming from a server with improper syntax, e.g. an
hostname containing an underscore: let's say we have a machine named
my_test.mydomain.com, Internet Explorer doesn't accept cookies set by that machine.
Mozilla does. Is this correct?
Microsoft says that's the right behavior...
Of course I'm not saying Mozilla should imitate IE, I'm just wondering if this
security issue is something related only to the Microsoft platform or not. :)
Fo further details, read carefully here:
Steps to Reproduce:
I forgot to say this Explorer behavior is due to security reasons (but i don't
know which malicious hack could be done by sending cookies from server with
improper names... anyway i believe Microsoft knows ;) )
We could add a check for valid domains in cookies, but we might do that
We still allow somewhat unlimited acess to the hostname via file: urls w/
I'm working on a FQDN validator in JS.
PS: I tried with Firefox, Konqueror and Opera too and they have the same
behavior of Mozilla... anyway I'm still wondering how can a cookie coming from a
server with improper hostname syntax lead to security problems, as Microsoft asserts
Many security problems arise from data structure problems, and in the area of
networking, we have subsystems that have disjoint handling of namespaces.
For example, we used to have different hostname parsers for modules that were
chained together. That meant if you send a really weird hostname, it might look
like "a" to one module and "b" to another.
Not to generalize about a complex area I know little about, but for the security
issues I have helped on, the root cause is usually bad code vs. smart hacker.
*** Bug 331778 has been marked as a duplicate of this bug. ***
(In reply to comment #3)
> PS: I tried with Firefox, Konqueror and Opera too and they have the same
> behavior of Mozilla... anyway I'm still wondering how can a cookie coming from a
> server with improper hostname syntax lead to security problems, as Microsoft asserts
it may be not a high risk security issue, but surely underscore is an illegal
character in a FQDN.
it is certainly not a high priority bug, it just breaks the RFC.
our behavior, afaict, matches chrome.. so wontfix for compat.