[tor-bugs] #5536 [EFF-HTTPS Everywhere]: Incorrect use of setResponseHeader for cookie
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Mar 30 14:19:58 UTC 2012
#5536: Incorrect use of setResponseHeader for cookie
----------------------------------+-----------------------------------------
Reporter: mkaply | Owner: pde
Type: defect | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
In the file HTTPS.js, HTTPS Everywhere is attempting to make some cookies
secure. In particular:
try {
var cookies = req.getResponseHeader("Set-Cookie");
} catch(mayHappen) {
//this.log(VERB,"Exception hunting Set-Cookie in headers: " +
mayHappen);
return;
}
if (!cookies) return;
var c;
for each (var cs in cookies.split("\n")) {
this.log(DBUG, "Examining cookie: ");
c = new Cookie(cs, host);
if (!c.secure && HTTPSRules.shouldSecureCookie(alist, c)) {
this.log(INFO, "Securing cookie: " + c.domain + " " + c.name);
c.secure = true;
req.setResponseHeader("Set-Cookie", c.source + ";Secure", true);
}
}
While according to the docs, true should merge cookies, what actually is
happening inside of Firefox is really undetermined (we're seeing problems
in our addon because of it).
What you should be doing is:
req.setResponseHeader("Set-Cookie", c.source + ";Secure",
false);
The goal with this code is to replace the non secure cookie with a secure
cookie. It is not to merge it with the other cookie.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5536>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list