Cookies attributes at HTTP request Cookie header
57 views
Skip to first unread message
José Miguel del Río
May 27, 2024, 2:07:21 PMMay 27
to Chromium-discuss
Hi,
Our website is protected by a WAF system.
It is blocking a few users' requests because at the Cookie header they are including the cookies' attributes (Secure, HttpOnly...), which violates RFC6265 (cookie attributes are meant to be specified by the server at the response Set-Cookie header, not sent back by the browser at the request Cookie header). E.g.:
Cookie: Lenguaje=es; path=/; domain=xxx; secure; httpOnly; ...
We wonder how the cookie attributes are making their way to the request Cookie header.
The User-Agent is supposedly a Chromium based one (Chrome, Edge), although you never know for sure.
If I'm looking at the right place (url_request_http_job.cc: SetCookieHeaderAndStart, canonical_cookie.cc: BuildCookieLine), I'd say the request's Cookie header line is built only with name=value pairs, not attributes.
There are other places in the code where the attributes are returned (e.g. BuildCookieAttributesLine), but I'd say it is not used to build HTTP requests.
In summary, is there any way Chrome could be building a request Cookie header with cookies' attributes in it?
It is blocking a few users' requests because at the Cookie header they are including the cookies' attributes (Secure, HttpOnly...), which violates RFC6265 (cookie attributes are meant to be specified by the server at the response Set-Cookie header, not sent back by the browser at the request Cookie header). E.g.:
Cookie: Lenguaje=es; path=/; domain=xxx; secure; httpOnly; ...
We wonder how the cookie attributes are making their way to the request Cookie header.
The User-Agent is supposedly a Chromium based one (Chrome, Edge), although you never know for sure.
If I'm looking at the right place (url_request_http_job.cc: SetCookieHeaderAndStart, canonical_cookie.cc: BuildCookieLine), I'd say the request's Cookie header line is built only with name=value pairs, not attributes.
There are other places in the code where the attributes are returned (e.g. BuildCookieAttributesLine), but I'd say it is not used to build HTTP requests.
In summary, is there any way Chrome could be building a request Cookie header with cookies' attributes in it?
Because another option we can think of is those users are (incorrectly) scripting HTTP requests, reusing the previously received cookies with their attributes.
Thanks for your feedback.
Thanks for your feedback.
PhistucK
May 27, 2024, 2:11:19 PMMay 27
to josemiguelde...@gmail.com, Chromium-discuss
Considering this (my trials in the console) -
I reckon it might just be an author error (the server/client sets those cookies). If you can reproduce this with no author errors, then it is likely a Chromium bug (or users being naughty).
I know it is hard to diagnose as logs usually do not keep those kinds of headers...
☆PhistucK
--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.
Reply all
Reply to author
Forward
0 new messages