New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 692375 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Feb 2017
Cc:
mkwst@chromium.org
krajshree@chromium.org
rdsmith@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

non-secure cookie conflict with secure cookie(with same name,different domain)

Reported by yhong...@sohu.com, Feb 15 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce the problem:
1. page A(in work.mysite.com) set a secure cookie(name:"JSESSIONID",domain:"work.mysite.com",path:"/")
2. page B(in b.mysite.com) set a non-secure cookie(name:"JSESSIONID",domain:".mysite.com",path:"/")

What is the expected behavior?
browser save both cookies from page A and page B.
It works well in firefox.

What went wrong?
cookie from page B missed

Did this work before? N/A 

Chrome version: 56.0.2924.87  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version:

Comment 1 by och...@chromium.org, Feb 15 2017

Components: Internals>Network>Cookies
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug

Comment 2 by eroman@chromium.org, Feb 15 2017

Cc: mkwst@chromium.org rdsmith@chromium.org

Comment 3 by krajshree@chromium.org, Feb 17 2017

Cc: krajshree@chromium.org
Labels: Needs-Feedback
Reporter@ - Thanks for filing the issue...!!

Could you please provide a sample URL to test this issue.

This will help us in triaging the issue further.

Thanks...!!

Comment 4 by mkwst@chromium.org, Feb 17 2017

Status: WontFix (was: Unconfirmed)
Hi! Thanks for the report. This is an intentional change we made to protect `secure` cookies: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01.

This will break in Firefox 52, as well, FWIW: https://developer.mozilla.org/en-US/Firefox/Releases/52#HTTP.

Sign in to add a comment