Loosely Scoped Cookies - Domain attribute behaviour for different values
194 views
Skip to first unread message
Sergey Tsaregorodtsev
Nov 15, 2012, 1:32:27 AM11/15/12
to zaproxy...@googlegroups.com
Hi)
I'm not sure whether this is a stackoverflow kind of question, but still if anybody has any experience with this kind of problems...)
I'm implementing a passive security scanner to test for loosely scoped domain cookies, and I was wondering about how the cookies are scoped if the *Domain* attribute is specified.
There's some information about this here: http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies, but I don't really understand what's the hands-on difference between the scopes of the following possible *Domain* attribute values:
There seem to be that there might be a different behavior for different browsers, but I'm more interested what is more generally applied and what behavior is shared between most popular browsers.
Many thanks in advance for any notes or directions.
Cheers,
Sergey
I'm not sure whether this is a stackoverflow kind of question, but still if anybody has any experience with this kind of problems...)
I'm implementing a passive security scanner to test for loosely scoped domain cookies, and I was wondering about how the cookies are scoped if the *Domain* attribute is specified.
There's some information about this here: http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies, but I don't really understand what's the hands-on difference between the scopes of the following possible *Domain* attribute values:
There seem to be that there might be a different behavior for different browsers, but I'm more interested what is more generally applied and what behavior is shared between most popular browsers.
Many thanks in advance for any notes or directions.
Cheers,
Sergey
psiinon
Nov 15, 2012, 8:41:54 AM11/15/12
to zaproxy...@googlegroups.com
Might be worth having a look at http://www.ietf.org/rfc/rfc2109.txt if you havnt already.
eg in section 2:
in section 4.2.2:
eg in section 2:
A is a FQDN string and has the form NB, where N is a non-empty name
string, B has the form .B', and B' is a FQDN string. (So, x.y.com
domain-matches .y.com but not y.com.)
in section 4.2.2:
Domain=domain
Optional. The Domain attribute specifies the domain for which the
cookie is valid. An explicitly specified domain must always start
with a dot.Reply all
Reply to author
Forward
0 new messages