[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #5536 [EFF-HTTPS Everywhere]: Incorrect use of setResponseHeader for cookie
#5536: Incorrect use of setResponseHeader for cookie
----------------------------------+-----------------------------------------
Reporter: mkaply | Owner: pde
Type: defect | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
In the file HTTPS.js, HTTPS Everywhere is attempting to make some cookies
secure. In particular:
try {
var cookies = req.getResponseHeader("Set-Cookie");
} catch(mayHappen) {
//this.log(VERB,"Exception hunting Set-Cookie in headers: " +
mayHappen);
return;
}
if (!cookies) return;
var c;
for each (var cs in cookies.split("\n")) {
this.log(DBUG, "Examining cookie: ");
c = new Cookie(cs, host);
if (!c.secure && HTTPSRules.shouldSecureCookie(alist, c)) {
this.log(INFO, "Securing cookie: " + c.domain + " " + c.name);
c.secure = true;
req.setResponseHeader("Set-Cookie", c.source + ";Secure", true);
}
}
While according to the docs, true should merge cookies, what actually is
happening inside of Firefox is really undetermined (we're seeing problems
in our addon because of it).
What you should be doing is:
req.setResponseHeader("Set-Cookie", c.source + ";Secure",
false);
The goal with this code is to replace the non secure cookie with a secure
cookie. It is not to merge it with the other cookie.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5536>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs