New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 722092 link

Starred by 1 user
Status: Untriaged
Owner: ----
Cc:
krajshree@chromium.org
morlovich@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Able to create cookie with empty name and empty name/value

Reported by opma...@gmail.com, May 14 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36

Steps to reproduce the problem:
1. Able to set cookie with empty name. By doing this in console document.cookie = "chromiumbugs.appspot.com;", it is setting cookie with empty name and value as "chromiumbugs.appspot.com. See attachment (chrome_cookie_noname.png)
2. Able to set cookie with empty name and empty value. By doing this in console document.cookie = ";", it is setting cookie with empty name and empty value. See attachment (chrome_cookie_noname_novalue.png)

What is the expected behavior?
Chrome shouldn't allow cookie with empty name as it is not as per RFC. http://tools.ietf.org/html/rfc6265#section-4.2.1

What went wrong?
Empty cookie are causing issue in parsing in application layer as this is not as per RFC.

Did this work before? N/A 

Chrome version: 58.0.3029.96  Channel: n/a
OS Version: 10.0
Flash Version: Shockwave Flash 25.0 r0
chrome_cookie_noname_novalue.PNG
71.9 KB View Download
chrome_cookie_noname.PNG
74.6 KB View Download

Comment 1 by ranjitkan@chromium.org, May 15 2017

Labels: Needs-Triage-M58

Comment 2 by krajshree@chromium.org, May 16 2017

Cc: krajshree@chromium.org
Components: Platform>DevTools
Labels: Needs-Feedback
Tested the issue in Win-10 using chrome stable version #58.0.3029.110.

Attached a screen cast for reference.

Following are the steps followed to reproduce the issue.
------------
1. Opened chrome browser.
2. Opened dev tools and pasted document.cookie = "chromiumbugs.appspot.com; in the console.
3. Got an uncaught syntax error.

opmaity@ - Could you please provide a test file to test the issue. This will help us in triaging the issue further

Thanks...!!
722092.mp4
203 KB View Download

Comment 3 by l...@chromium.org, May 17 2017

Components: -Platform>DevTools -Blink Internals>Network>Cookies
Status: Untriaged (was: Unconfirmed)
This looks more appropriate for the Cookie team.

Comment 4 by opma...@gmail.com, May 17 2017 

Hi @krajshree,

You need to go a domain before calling document.cookie = .....

Please see the screen cast.
Recording #1.mp4
639 KB View Download

Comment 5 by mge...@chromium.org, May 30 2017

Labels: -Needs-Feedback

Comment 6 by mmenke@chromium.org, Apr 18 2018

Cc: morlovich@chromium.org
[+morlovich]:  Mind seeing what other browsers do here?

Comment 7 by mmenke@chromium.org, Apr 25 2018

Labels: Network-Triaged

Comment 8 by morlovich@chromium.org, Apr 26 2018 

Support for nameless cookies is intentional (there is specifically code to not send =whatever), and I don't know how close that RFC is to reality --- Firefox ESR 52 seems to behave identically, at least.

The no-name, no value thing is weird, though. It's not observable on the wire, but it does seem to be in the database.

Comment 9 by morlovich@chromium.org, Apr 26 2018 

Edge seems to largely agree with us and Firefox; but interestingly Safari is different.
If you do document.cookie = "Foo"; it interprets Foo as a name, not value, and actually sends Foo= in the Cookie header; so this isn't 100% interoperable right now.

Sign in to add a comment