Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Taking the port into account #5

Open
randomstuff opened this issue May 6, 2021 · 1 comment
Open

Taking the port into account #5

randomstuff opened this issue May 6, 2021 · 1 comment

Comments

@randomstuff
Copy link

In this proposal, the port is (still) not taken into account.

In particular, this claim is somewhat wrong (emphasis mine):

cookies are given an internal scheme component […]

Cookies will be accessible only to the scheme which set them, matching in this respect the scope of other storage mechanisms available on the web.

Other storage mechanisms (eg. localStorage) are actually origin-bound and thus take the port into account.

For http: localhost applications, the ability to scope the cookies per origin might be important. Without this, the cookies of a http://127.0.0.1:4567 application can be exfiltrated by other local users by:

  1. spawning another localhost HTTP service such as http://127.0.0.1:4568;
  2. triggering a request to this page from the user.

Would it make sense to take the port into account as well? If this is not the case, this corner-case should probably be explained in the FAQ.
@randomstuff
Copy link
Author

The proposal I was looking for is Origin-Bound cookies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@randomstuff