Our website is protected by a WAF system.
It is blocking a few users' requests because at the Cookie header they are including the cookies' attributes (Secure, HttpOnly...), which violates RFC6265 (cookie attributes are meant to be specified by the server at the response Set-Cookie header, not sent back by the browser at the request Cookie header). E.g.:
Cookie: Lenguaje=es; path=/; domain=xxx; secure; httpOnly; ...
We wonder how the cookie attributes are making their way to the request Cookie header.
The User-Agent is supposedly a Chromium based one (Chrome, Edge), although you never know for sure.
If I'm looking at the right place (url_request_http_job.cc: SetCookieHeaderAndStart, canonical_cookie.cc: BuildCookieLine), I'd say the request's Cookie header line is built only with name=value pairs, not attributes.
There are other places in the code where the attributes are returned (e.g. BuildCookieAttributesLine), but I'd say it is not used to build HTTP requests.
In summary, is there any way Chrome could be building a request Cookie header with cookies' attributes in it?
Because another option we can think of is those users are (incorrectly) scripting HTTP requests, reusing the previously received cookies with their attributes.
Thanks for your feedback.