Opened 5 years ago
Last modified 5 years ago
#14810 new bug
Implement public suffix list to filter cookies
| Reported by: | pulkomandy | Owned by: | nobody |
|---|---|---|---|
| Priority: | high | Milestone: | Unscheduled |
| Component: | Kits/Network Kit | Version: | R1/Development |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
It should not be possible to set a cookie on a public suffix (eg *.github.io, *.co.uk, ...). Currently we do not filter these out. This allows users to set cookies that affect other websites sharing the same suffix, allowing them tp spy on and track users.
Use of libnspsl or another public suffix library is possible to avoid rewriting all the logic ourselves.
Note:
See TracTickets
for help on using tickets.
Where should the filtering be done, which file?