Closed
Bug 629325
Opened 13 years ago
Closed 8 years ago
Cookie Attribute 'FirstPartyOnly' to prevent CSRF
Categories
(Core :: Networking: Cookies, enhancement)
Tracking
()
RESOLVED
DUPLICATE
of bug 795346
People
(Reporter: OlafvdSpek, Unassigned)
References
Details
(Whiteboard: [necko-would-take])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Would it be possible to create a cookie attribute (let's call it FirstPartyOnly) that causes this cookie to only be send when the cookie domain matches the domain of the source of the request? Suppose I've got a document at example.net that includes an image at b.net. If b.net's cookie is marked FirstPartyOnly, it shouldn't be send. This attribute should probably be discussed with other major browser vendors. Reproducible: Always
Updated•13 years ago
|
Version: unspecified → 3.6 Branch
Comment 1•13 years ago
|
||
Confirming. Seems like something Content Security Policies could solve.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 2•9 years ago
|
||
This is something various people have been working: Mike West has been working on this document https://tools.ietf.org/html/draft-west-first-party-cookies-01 which, in turn, is similar to SameDomain cookies (that came close to implementing a while ago, see bug 795346). People are starting to play with this; I think the time has come to make the idea a reality.
Component: Security → Networking: Cookies
Product: Firefox → Core
Version: 3.6 Branch → unspecified
Updated•9 years ago
|
See Also: → samesite-cookies
Reporter | ||
Comment 3•9 years ago
|
||
An explicit ThirdPartyToo attribute might be handy too, then a user setting could make FirstPartyOnly the default. Or it could forbid ThirdPartyToo cookies.
Updated•8 years ago
|
Whiteboard: [necko-would-take]
Comment 4•8 years ago
|
||
There may be some subtle differences in what you wanted and what folks are coalescing around as a proposed standard, but bug 795346 is where the action is. We're not going to implement two different things here so if there are differences you feel strongly about it would be better to influence the standard discussions, which in turn will be reflected in the bug 795346 implementation work.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•