Chrome set magic restriction for cookies on specific URLs
1,251 views
Skip to first unread message
Hanfei Sun
Nov 24, 2015, 11:46:13 PM11/24/15
to Chromium-dev
Today I found a weird thing: it seems that Chrome(46.0) set some restrictions for specific URL such as `cloudfront.net`.
It can be reproduced like this:
1. In the `/etc/hosts`, add two lines:
127.0.0.1 cloudfront.net
127.0.0.1 cloudfront.com
2. Start Apache or Nginx for the local server
3. Open chrome and input `cloudfront.net` in the address bar
4. Run the following statement in the console:
document.cookie = "test=test; expires=Thu, 01 Jan 2020 00:00:00 GMT;domain=cloudfront.com; path=/"
5. And then
console.log(document.cookie)
As can be seen the `document.cookie` is empty, it is not set at all, which is weird (See the screenshot below)
However, when I repeat the steps above but change the URL from `cloudfront.net` into `cloudfront.com`, everything works well like a magic.. (See the screenshot below)
It seems that Chrome has a blacklist of URL, which user can't set cookie for the root domain, however, I didn't find any specs about that..
Does anyone have any ideas about this?
Scott Graham
Nov 24, 2015, 11:54:58 PM11/24/15
to ad9...@gmail.com, Chromium-dev
Perhaps https://code.google.com/p/chromium/codesearch#chromium/src/net/base/registry_controlled_domains/effective_tld_names.gperf&l=1092 . net...@chromium.org is probably a better bet for this question.
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
Anand
Nov 24, 2015, 11:56:11 PM11/24/15
to Chromium-dev
It may have something to do with https://github.com/publicsuffix/list/blob/master/public_suffix_list.dat (there's a copy in chromium), which may be preventing you from setting cookies on certain domains.
Hanfei Sun
Nov 25, 2015, 12:40:04 AM11/25/15
to Chromium-dev
The replies helped me to figure out. Thanks!
Hanfei
Adam Rice
Nov 25, 2015, 9:12:19 AM11/25/15
to ad9...@gmail.com, Chromium-dev
For anyone reading this in the future: Chrome has a list of top-level domains like ".com" and ".org". You can't set cookies on these because they'd be visible to all the different organisations under those top-level domains.
There are also private domains like "cloudfront.net" which are similar because they have many subdomains "belonging to" different organisations.
This protects web developers from accidentally exposing their cookies to other organisations, and protects users from privacy abuses.
Joe Mason
Nov 25, 2015, 9:35:58 AM11/25/15
to ri...@chromium.org, ad9...@gmail.com, Chromium-dev
And to add even more useful context: the list of private domains that should be treated like they're top-level (eg. cloudfront.net) is opt-in by the domain owners, and this whole scheme is documented at https://publicsuffix.org/
On Wed, Nov 25, 2015 at 9:34 AM, Joe Mason <joenot...@google.com> wrote:
And to add even more useful context: the list of private domains that should be treated like they're top-level (eg. cloudfront.net) is opt-in by the domain owners, and this whole scheme is documented at https://publicsuffix.org/
Reply all
Reply to author
Forward
0 new messages