Noodling on this, the current Cookie RFC (6265) says this in the Storage Model section: The user agent stores the following fields about each cookie: name, value, expiry-time, domain, path, creation-time, last-access-time, persistent-flag, host-only-flag, secure-only-flag, and http-only- flag. If users agents were to actually store the domain of the server which created the cookie (which may be different from the Domain attribute) - either the domain of the server which sent the Set-Cookie header or blank if the cookie was created locally - then a Delete-Cookie header could be accepted only if it came from the same server domain. That could also apply to clear-site-data and the use of the Set-Cookie header to delete cookies by setting a Max-Age value of 0 or an Expires date in the past. On Tue, Feb 25, 2025 at 1:23 PM Daniel Veditz <dveditz@mozilla.com> wrote: > > wouldn't the risks called-out also be a problem with clear-site-data > which wipes out all > > cookies (including parent and horizontally to peers)? > > clear-site-data can be abused to DOS a domain: log people out, delete > locally-saved settings > > Deleting specific cookies by name could be used in more subtle attacks > on web application > logic: turning off features, breaking app consistency, clearing the > way so your forged > same-name replacement cookies are accepted by the app (harder to > generalize, but a > much worse problem for some victim sites) > > -Dan Veditz > -- Rory Hewitt https://www.linkedin.com/in/roryhewitt
Received on Tuesday, 25 February 2025 21:36:42 UTC