Closed Bug 828221 Opened 12 years ago Closed 8 years ago

HttpOnly cookies must never be sent to, or set from, child processes

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1339129

People

(Reporter: briansmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [necko-backlog]) 

+++ This bug was initially created as a clone of Bug #827853 +++
+++ This bug was initially created as a clone of Bug #827847 +++

If a cookie is marked HttpOnly, then we should not allow child processes any access to it, and we should only allow the child processes access to the cookie through document.cookie. This will provide defense in depth for sites that use HttpOnly cookies (often auth cookies) against compromised content processes.
Blocks: 827853
Not clear yet if we can block httpOnly from being set in child.

Jonas also seems to think we could get away with preventing *any* cookie headers from being seen in child unless app has system XHR privileges.

Much will depend on bug 805616--we can only do 3rd party checks correctly in child (? maybe we could do work to not make that true), so we might need to set cookies on child, in which case we have to let them see them.
Whiteboard: [necko-backlog]
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.