Opened 4 months ago

Last modified 2 months ago

#14810 new bug

Implement public suffix list to filter cookies

Reported by: pulkomandy Owned by: nobody
Priority: high Milestone: Unscheduled
Component: Kits/Network Kit Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All

Description

It should not be possible to set a cookie on a public suffix (eg *.github.io, *.co.uk, ...). Currently we do not filter these out. This allows users to set cookies that affect other websites sharing the same suffix, allowing them tp spy on and track users.

Use of libnspsl or another public suffix library is possible to avoid rewriting all the logic ourselves.

Change History (2)

comment:1 Changed 2 months ago by khyati-agarwalss

Where should the filtering be done, which file?

comment:2 Changed 2 months ago by pulkomandy

BNetworkCookie and/or BNetworkCookieJar in src/kits/network/libnetapi

Note: See TracTickets for help on using tickets.