Summary: | Bypassing HttpOnly cookie in Konqueror | ||
---|---|---|---|
Product: | [Applications] konqueror | Reporter: | Dawid Czagan <dawid> |
Component: | kcookiejar | Assignee: | David Faure <faure> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | adawit, dawid |
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | unspecified | ||
OS: | Unspecified | ||
Latest Commit: | Version Fixed In: | ||
Attachments: | Simple code to play with the issue |
Description
Dawid Czagan
2014-02-04 13:46:43 UTC
Which browser engine did you use to test this? webkit or khtml? KHTML Do you by any chance have a test case for this? Otherwise, I will have to create a test case which might take a while. I have a simple PHP site created to play with this issue (if you are interested, I will paste the code here). By the way - when are you going to fix this issue? Feel free to post the script. I am already looking into it now and hopefully will get a fix out before the 4.12.3 release. Created attachment 85145 [details]
Simple code to play with the issue
Run it, refresh and see that JavaScript was able to overwrite cookie1, which has HttpOnly flag set).
This is probably a WONTFIX for the same reasons outlined by the Firefox developers in https://bugzilla.mozilla.org/show_bug.cgi?id=607613 Read the discussion in that ticket and see the security considerations section 8 under http://www.rfc-editor.org/rfc/rfc6265.txt JavaScript can't overwrite HttpOnly cookies in Firefox (I tested it). BTW there is no reason to allow JavaScript to overwrite HttpOnly cookies and this overwriting can only lead to problems. Moreover, it turns out, that majority of browsers don't allow the aforementioned overwriting. Please let me know if you are going to fix this problem in Konqueror. |