[tor-bugs] #8192 [EFF-HTTPS Everywhere]: Secure cookie inconsistencies

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Feb 8 21:33:01 UTC 2013 

#8192: Secure cookie inconsistencies
----------------------------------+-----------------------------------------
 Reporter:  mikkoharhanen         |          Owner:  pde            
     Type:  defect                |         Status:  new            
 Priority:  normal                |      Milestone:                 
Component:  EFF-HTTPS Everywhere  |        Version:  HTTPS-E 4.0dev4
 Keywords:                        |         Parent:                 
   Points:                        |   Actualpoints:                 
----------------------------------+-----------------------------------------
 I tried to secure (javascript) cookies with poor success. I made three
 rule sets with different target host attributes to test
 https://www.fortum.com. I was expecting that cookies were secured in all
 of these tests. Not sure if test case 1 is a defect or intended behaviour
 but at least Chrome is acting strange.

 Here are the results:

 FIREFOX
 {{{
 Test 1)
 <target host="www.fortum.com">
 <target host="fortum.com">
 Cookies:
 Host: www.fortum.com Name: Sitester_Nth1328     [Secured]
 Domain: .fortum.com Name: __utma                [Not secured]

 Test 2)
 <target host="*.fortum.com">
 <target host="fortum.com">
 Cookies:
 Host: www.fortum.com Name: Sitester_Nth1328     [Secured]
 Domain: .fortum.com Name: __utma                [Secured]

 Test 3 )
 <target host=".fortum.com"> # validation error but works as a local rule
 <target host="fortum.com">
 <target host="www.fortum.com">
 Cookies:
 Host: www.fortum.com Name: Sitester_Nth1328     [Secured]
 Domain: .fortum.com Name: __utma                [Secured]
 }}}
 CHROME
 {{{
 Test 4)
 <target host="www.fortum.com">
 <target host="fortum.com">
 Cookies:
 Domain: www.fortum.com Name: Sitester_nth1382   [Not secured]
 Domain: .www.fortum.com Name: Sitester_nth1382  [Secured]
 Domain: .fortum Name: __utma                    [Not secured]

 Test 5)
 <target host="*.fortum.com">
 <target host="fortum.com">
 Cookies:
 Domain: www.fortum.com Name: Sitester_nth1382   [Not secured]
 Domain: .www.fortum.com Name: Sitester_nth1382  [Secured]
 Domain: .fortum Name: __utma                    [Not secured]
 }}}

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8192>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list