User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:188.8.131.52) Gecko/2009030719 GranParadiso/3.0.7 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:184.108.40.206) Gecko/2009030719 GranParadiso/3.0.7 It seems that the cookies created by a website using for example the domain example.com are also transmitted to example.com:4242 (replace 4242 by any port number). RFC 2965 states : > Port The default behavior is that a cookie MAY be returned to any > request-port. I think this could lead to security problems with cookies stealing, for example on mass virtual hosting where someone could open a server on port 8080 and still get cookies targeted to the website running on port 80. Reproducible: Always Steps to Reproduce: 1. Make a website running on yourserver:X (X being the port) send a cookie to Firefox 2. Open a netcat listening on port Y on yourserver 3. Connect to yourserver:Y with Firefox Actual Results: The cookies for yourserver:X are being transmitted to yourserver:Y. Expected Results: I guess two sites running on distinct port number should be treated as different websites.
Dupe of bug 469287, bug 227475, bug 189784, etc.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 469287
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.