Opened 7 years ago

Last modified 23 months ago

#8192 new defect

Secure cookie inconsistencies

Reported by: mikkoharhanen Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version: HTTPS-E 4.0dev4
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I tried to secure (javascript) cookies with poor success. I made three rule sets with different target host attributes to test https://www.fortum.com. I was expecting that cookies were secured in all of these tests. Not sure if test case 1 is a defect or intended behaviour but at least Chrome is acting strange.

Here are the results:

FIREFOX

Test 1)
<target host="www.fortum.com">
<target host="fortum.com">
Cookies:
Host: www.fortum.com Name: Sitester_Nth1328	[Secured]
Domain: .fortum.com Name: __utma		[Not secured]

Test 2)
<target host="*.fortum.com">
<target host="fortum.com">
Cookies:
Host: www.fortum.com Name: Sitester_Nth1328	[Secured]
Domain: .fortum.com Name: __utma		[Secured]

Test 3 )
<target host=".fortum.com"> # validation error but works as a local rule
<target host="fortum.com">
<target host="www.fortum.com">
Cookies:
Host: www.fortum.com Name: Sitester_Nth1328	[Secured]
Domain: .fortum.com Name: __utma		[Secured]

CHROME

Test 4)
<target host="www.fortum.com">
<target host="fortum.com">
Cookies:
Domain: www.fortum.com Name: Sitester_nth1382	[Not secured]
Domain: .www.fortum.com Name: Sitester_nth1382	[Secured]
Domain: .fortum Name: __utma			[Not secured]

Test 5)
<target host="*.fortum.com">
<target host="fortum.com">
Cookies:
Domain: www.fortum.com Name: Sitester_nth1382	[Not secured]
Domain: .www.fortum.com Name: Sitester_nth1382	[Secured]
Domain: .fortum Name: __utma			[Not secured]

Child Tickets

Attachments (3)

Fortum_www.xml (241 bytes) - added by mikkoharhanen 7 years ago.
Fortum_wildcard.xml (244 bytes) - added by mikkoharhanen 7 years ago.
Fortum_dot.xml (272 bytes) - added by mikkoharhanen 7 years ago.

Download all attachments as: .zip

Change History (4)

Changed 7 years ago by mikkoharhanen

Attachment: Fortum_www.xml added

Changed 7 years ago by mikkoharhanen

Attachment: Fortum_wildcard.xml added

Changed 7 years ago by mikkoharhanen

Attachment: Fortum_dot.xml added

comment:1 Changed 23 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.