info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to unship http-equiv cookies
105 views
Skip to first unread message
Jonathan Kingston
May 10, 2018, 7:45:54 AM5/10/18
to dev-platform
Meta tags provide equivalent behaviour to sending HTTP headers via the
“http-equiv” attribute.
Set-Cookie can be used to provide cookies to the user via this attribute:
<meta http-equiv="Set-Cookie" content="meta=tag">
However this behaviour isn’t restrictable via a Content Security Policy.
This gives an attacker the ability to change a users cookies via an XSS
exploit and also fixate session cookies.
Impact on the Web:
The HTML specification has removed this behaviour:
https://github.com/whatwg/html/pull/3649
Web platform tests:
https://github.com/w3c/web-platform-tests/blob/master/cookies/meta-blocked.html
Chrome removed in version 65 and it appears Edge has implemented the
changes to land in the next release.
The usage of the feature is intermittent according to Chrome: “shows up on
~0.02% of pages, with intermittent spikes up to ~0.06%. Cloudflare's error
page seems like a reasonable explanation of this behavior”.
Chrome’s intent to deprecate:
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/0sJ8GUJO0Dw/iMmcXLIGBAAJ
Chrome code: https://bugs.chromium.org/p/chromium/issues/detail?id=767813
Removal implementation:
The rollout strategy is to disable via a preference and let it ride the
releases to stable.
Firefox will remove access to this feature in Firefox 62
The work will commence in:
https://bugzilla.mozilla.org/show_bug.cgi?id=1457503
Kind regards
Jonathan
“http-equiv” attribute.
Set-Cookie can be used to provide cookies to the user via this attribute:
<meta http-equiv="Set-Cookie" content="meta=tag">
However this behaviour isn’t restrictable via a Content Security Policy.
This gives an attacker the ability to change a users cookies via an XSS
exploit and also fixate session cookies.
Impact on the Web:
The HTML specification has removed this behaviour:
https://github.com/whatwg/html/pull/3649
Web platform tests:
https://github.com/w3c/web-platform-tests/blob/master/cookies/meta-blocked.html
Chrome removed in version 65 and it appears Edge has implemented the
changes to land in the next release.
The usage of the feature is intermittent according to Chrome: “shows up on
~0.02% of pages, with intermittent spikes up to ~0.06%. Cloudflare's error
page seems like a reasonable explanation of this behavior”.
Chrome’s intent to deprecate:
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/0sJ8GUJO0Dw/iMmcXLIGBAAJ
Chrome code: https://bugs.chromium.org/p/chromium/issues/detail?id=767813
Removal implementation:
The rollout strategy is to disable via a preference and let it ride the
releases to stable.
Firefox will remove access to this feature in Firefox 62
The work will commence in:
https://bugzilla.mozilla.org/show_bug.cgi?id=1457503
Kind regards
Jonathan
0 new messages