Closed Bug 306658 Opened 19 years ago Closed 19 years ago

Cookies set from about:blank pages have no hostname

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
1.8 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: mconnor)

Details

(Keywords: fixed1.8, verified1.7.13, Whiteboard: [sg:fix])

Attachments

(2 files)

testcase
159 bytes, text/html
Details
make CheckDomain actually fail for non-file URIs without a hostname
1.17 KB, patch
dwitte
: review+
darin.moz
: superreview+
dveditz
: approval-aviary1.0.8+
dveditz
: approval1.7.13+
asa
: approval1.8b5+
Details | Diff | Splinter Review 
Steps to reproduce:
1. javascript:window.open().document.cookie="this=bad"; void 0
2. Look at your cookies.

Result: there's now a session cookie with no hostname and path "blank".  This
cookie is shared by all about:blank pages, regardless of what page linked to
about:blank.

Expected: ideally, the cookie should be set as if it came from the page that
opened about:blank.  In the short run, I could go for failing.
This is similar to local file cookies having no hostname, but that one's more of
a real problem. about:blank by definition has no content, how are cookies
getting set? If you've added content from some other page it will get the host
of that page. If you've typed in a cookie-setting bookmarklet that's probably an
edge case we don't care about.

Is the security-sensitive flag necessary? I don't see the exploit.
Reproduced with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4)
Gecko/20050901 Firefox/1.0+.

The kinds of attacks I'm worried about:

* Setting a cookie that ends up being sent for all sites.  (If a .mozilla.org
cookie is sent for bugzilla.mozilla.org, does anything prevent a site with no
hostname from setting a cookie that is sent for all sites?)

* Intentional use of cross-site cookies, e.g. by advertisers, that is supposed
to be difficult or impossible.
OS: MacOS X → All
Hardware: Macintosh → All
Jesse: Is this reproducable without a bookmarklet?
Attached file testcase β€” 
Yes.
It may be possible to exploit this without opening a new window, e.g. using an
iframe.
yes, this can be done using iframes :-(
Flags: blocking1.8b5?
Flags: blocking1.7.12?
Flags: blocking-aviary1.0.7?
Whiteboard: [sg:fix]
Flags: blocking1.8b5? → blocking1.8b5+
Assignee: general → dveditz
Dan's pretty overloaded. Who else can help here. 
->mconnor.
Assignee: dveditz → mconnor

  

  



        Attachment #197959 -
        Flags: review?(dwitte)

    
    

    
  
Comment on attachment 197959 [details] [diff] [review]
make CheckDomain actually fail for non-file URIs without a hostname

looks good. it would be safer to default |isFileURI| to false, but that may
break things... i'll punt that question to someone who knows the failure modes
of SchemeIs. darin?

in any case, r=dwitte.

  

  



        Attachment #197959 -
        Flags: review?(dwitte) → review+

    
  

        Attachment #197959 -
        Flags: superreview?(darin)

    
    

    
  
Comment on attachment 197959 [details] [diff] [review]
make CheckDomain actually fail for non-file URIs without a hostname

I agree with dwitte.  It is probably best to initialize isFileURI to PR_FALSE.
Also, you could optimize this code further to avoid calling SchemeIs in the
case where hostFromURI.IsEmpty() is false.  I think you should do that:

if (hostFromURI.IsEmpty()) {
  // check SchemeIs...
}

sr=darin

  

  



        Attachment #197959 -
        Flags: superreview?(darin) → superreview+

    
  

        Attachment #197959 -
        Flags: approval1.8b5?

    
  

        Attachment #197959 -
        Flags: approval1.8b5? → approval1.8b5+

    
    

    
  
Fixed branch and trunk.

  

  


Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED

    
    

    
  
what about jar:file://...?

  

  


Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Flags: testcase+

    
    

    
  
Comment on attachment 197959 [details] [diff] [review]
make CheckDomain actually fail for non-file URIs without a hostname

a=dveditz for drivers on the aviary101/moz17 branches.

  

  



        Attachment #197959 -
        Flags: approval1.7.13+

        Attachment #197959 -
        Flags: approval-aviary1.0.8+

    
    

    
  
Fix checked into aviary101/moz17 branches

  

  


Keywords: fixed-aviary1.0.8, 
          
            fixed1.7.13

    
    

    
  
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060216 Firefox/1.0.8. Cookie fails. adding relevant keyword.

verified fixed using Mozilla 1.7.13 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060216. Cookie fails, adding relevant keyword.

  

  


Keywords: fixed-aviary1.0.8, 
          
            fixed1.7.13verified-aviary1.0.8, 
          
            verified1.7.13
Group: security
Flags: in-testsuite+ → in-testsuite?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: