This is another instance where a web application with a vulnerability that allows injection into the response Cookie header can get cookies to be sent more broadly than they might be otherwise. Like  Issue 711505 , it presupposes an attacker with such permissions can write a value into a cookie that it cannot otherwise read and that there are /some/ constraints on what it can write. 

As such, the exploitability seems extremely limited, especially considering that a site with such a vulnerability is likely to have problems anyway (e.g. Edge and IE don't care if you set a DOMAIN attribute and will send cookies to all subdomains).

Repro page: http://debugtheweb.com/test/cookie/domainescaped.aspx

Inside the GetCookieDomainWithString function,

  // Get the normalized domain specified in cookie line.
  url::CanonHostInfo ignored;
  std::string cookie_domain(CanonicalizeHost(domain_string, &ignored));

The CanonicalizeHost function converts the %2e to .

Assigning similar labels as 711505

(Unassigning myself, marking untriaged in preparation to retriage with folks who will do a better job taking care of cookies than I've been able to)

[mkwst]:  I don't suppose you know if we need to support escape sequences in set-cookie domain names in general (for IDNs, especially)?  The Set-Cookie spec looks to only support punycoded domain names, but I'm reluctant to trust the spec, if browsers all allow percent-encoding here.

Looks like FireFox, at least, doesn't unescape characters in document.cookie=... calls (Testing the Set-Cookie lines of network requests is more involved, and should use the same parser, anyways...), so we'll try following suit.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/31feac996c68b8024000bdad91de45536fd33bcb

commit 31feac996c68b8024000bdad91de45536fd33bcb
Author: Lily Chen <chlily@chromium.org>
Date: Mon Oct 15 15:45:52 2018

Disallow %-escaped characters in cookie domains

Previously, any %-escaped characters would be unescaped when parsing
a cookie's domain attribute, leading to a potential security
vulnerability. This change disallows % characters in the cookie domain
by failing to get the cookie domain if the domain string contains a %
character.

Bug:  721833 
Change-Id: Ie55d5228eea33920cfa3792c5bf63989498e769d
Reviewed-on: https://chromium-review.googlesource.com/c/1277583
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Commit-Queue: Lily Chen <chlily@chromium.org>
Cr-Commit-Position: refs/heads/master@{#599644}
[modify] https://crrev.com/31feac996c68b8024000bdad91de45536fd33bcb/net/cookies/canonical_cookie_unittest.cc
[modify] https://crrev.com/31feac996c68b8024000bdad91de45536fd33bcb/net/cookies/cookie_util.cc

I'm afraid the VRP panel declined to reward (as is often the case for low severity bugs), but also couldn't detmain how this could be used in an attack.

But many thanks for the report, nevertheless!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot