We need an error message if insecure cookies are blocked due to RFC6265bis changes to `secure`.
Reported by
vroues...@gmail.com,
May 15 2018
|
|||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36 Example URL: https://fiddlerbook.com/test/cookie/LeaveSecureAlone.aspx Steps to reproduce the problem: 1. Visit HTTPS://http://fiddlerbook.com/test/cookie/LeaveSecureAlone.aspx 2. Click `Add Secure Cookie` 3. Visit HTTP://fiddlerbook.com/test/cookie/LeaveSecureAlone.aspx 4. Click `Add Insecure Cookie` Note that the http page cannot set an insecure cookie of the same name as the secure cookie. However, while on the http page, click on the icon in the address bar and you can see the insecure cookie we just added is stored (somewhere) by Chrome. Now, refresh the http page, and note that the cookie is not present in the address bar icon pop out anymore. Open up `Developer Tools > Application tab > Cookies`, and note that the `SetBy` cookie is not present. --- Now imagine you are using `http://localhost` to develop an app. Then say you: - want to access an app running in a VirtualBox VM by port-forwarding to your host at `https://localhost:8443` - or maybe you want to debug an https version of an app at `https://localhost` Any cookie with the same name that is set from an https page will prevent an http page from using a cookie with that name until the https clears the cookie. During local development this sends the developer into a world of hurt. They see that there server is sending a response with `Set-Cookie` upon successful login, but the cookie is not being sent with any further requests for no obvious reason. The `Developer Tools > Application tab > Cookies` tab does not show the cookie either. However, the cookie can be found by clicking on the icon in the address bar (which they won't find for a long time because its simply hard to know that its there). So now they know that Chrome knows about the cookie, and it says: `Cookies (1 in *use*)`, and after clicking on `Cookies` it says `The following cookies were set when you viewed this page`. But the cookie still isn't sent with a request. But little does the poor developer know that there is an https cookie that has been set with the same name for the same domain, that is preventing their latest http cookie from being sent. From the http page they cannot see the secure cookies, and this makes sense for security purposes. But the developer needs to be told that there is a secure cookie preventing their insecure cookie being set. Seeing as many frameworks/libraries use the same named cookies (e.g. [koa](https://github.com/koajs/koa) uses `koa:sess`), and these cookie names aren't usually modified by developers, an unsuspecting developer can find themselves not knowing why their cookies are setting...and why their login page seemingly stops working in development for now reason. What is the expected behavior? Either: a. A warning should be printed in the console indicating that `Set-Cookie` will not store the cookie because a secure cookie exists with the same name. b. Chrome stores both cookies if they have the same name, but different `Secure` flag values. When the user is on an http page, it sends the insecure cookie with the request, and when the user visits an https page, it sends the secure cookie. The https page can write to the secure and insecure cookies, but the http page can only write to the insecure cookie. c. There is a special case for `localhost` domains where option b. applies. What went wrong? The user is not alerted when a `Set-Cookie` doesn't result in Chrome storing the cookie because a secure cookie exists with the same name. Did this work before? N/A Chrome version: 66.0.3359.139 Channel: n/a OS Version: OS X 10.12.6 Flash Version:
,
May 16 2018
Tested the issue on chrome reported version 66.0.3359.139 using Mac 10.12.6 with steps mentioned below: 1)Launched chrome reported version and navigated to URL: HTTPS://http://fiddlerbook.com/test/cookie/LeaveSecureAlone.aspx and clicked on 'Add Secure Cookie' 2) Again navigated to HTTP://fiddlerbook.com/test/cookie/LeaveSecureAlone.aspx and clicked on 'Add Insecure Cookie' 3) Navigated to Developer Tools > Application tab > Cookies, able to see 'SetBy' cookie in the list @Reporter: Please find the attached screencast for your reference and let us know if we missed anything in reproducing the issue, provide your feedback on it which help in further triaging it, if possible could you please provide screencast of the issue which help in better understanding. Thanks!
,
May 16 2018
,
May 16 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 17 2018
,
May 17 2018
I think we actually record all "set" cookies in ChromeNetworkDelegate, before we've even sent them to the cookie store (Which is what detects and handles the conflicts).
,
May 17 2018
I believe this issue is in all versions of Chrome from sometime since version 58. This is major issues for enterprise customers that have sessions states shares across web apps of http and https. Below are some links to RFCs that google is proposed. If the intention is to not let chrome share cookies across sub domains of different https and http domains then this will be a major issue for enterprise customer. A policy will need to be created (maybe a whitelist). Many enterprise customer want to comply with https standard but enterprise applications and vendor may take years to migrate applications. https://tools.ietf.org/html/rfc6265 https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01 Below is a description of the customer issue We've encountered issues with several internal applications because of how Chrome is handling a secure cookie set for a different subdomain. Flow: 1. Navigate to https://wiki.enterprisecustomer.com/display * This is the root page for a vendor application called Confluence that contains wiki pages 2. The page will set a cookie with the following settings* Set-Cookie: JSESSIONID=AFB46649DF6903DE701DE0A1C0882B5D; Path=/; Secure; HttpOnly 3. The cookie has a domain of wiki.enterprisecustomer.com since no domain was specified 4. Open a new tab and navigate http://remp.enterprisecustomer.com/portal/ODocs* This is an internally developed member contact application 5. The page will set a cookie with the following settings* Set-Cookie: JSESSIONID=0001CZGBZwJkUopJYJ4_iGCwRD0:1camdvid9; Path=/; Domain=.usaa.com 6. Chrome will NOT set the cookie from step 5 which causes the application to break* The cookie set in step 2 will NOT be sent in the request since it was set for a different subdomain Is this expected? If so then what should be changed to prevent the cookie conflict? This is going to be an ongoing problem for us since many applications require that cookie.
,
May 17 2018
jeffej: I assume both cookies are being sent using the same top-level domain. We no longer allow insecure cookies to be set when their domain+path overlaps with a secure cookie. See https://cs.chromium.org/chromium/src/net/cookies/cookie_monster.cc?q=cookie_monster&sq=package:chromium&g=0&l=1142
,
May 23 2018
As per comment #8 this issue seems to be a Enterprise Applications.Hence forwarding this issue to In house Team to have a look on this issue and CCing jmukthavaram@chromium.org, kkaluri@chromium.org. Thanks.!
,
May 23 2018
,
May 24 2018
Able to reproduce the issue on Windows 10, Mac 10.13.4 and Debian Rodete with chrome Stable #66.0.3359.181, Canary #68.0.3438.3 and also on earlier version M60-#60.0.3073.0 This is a non-regression issue, hence marking it as Untriaged Attaching the screen-cast for reference.
,
Jul 5
The breaking change has been implemented [1] in M-58. Off to enterprise triage to determine whether this needs a policy. [1] https://chromium.googlesource.com/chromium/src/+/a26e439d02baa9514b09c637bf5fa9f6790c4c3e
,
Jul 6
Mike, do you know who could take a look at this?
,
Jul 6
Please keep me updated on this bug. I have a few Enterprise browser customers that have this issue and is preventing there users from using internal http and https sites as session info does not pass because of this secure cookie setting. Could an enterprise policy be define so that the secure flag can be overlooked for enterprise customers. Customers effected USAA - 35K seats, Verizon 100K+ seats, I believe other customer experience this issue, but have their users just suffer with it.
,
Jul 9
I completely agree that we should have an error message here. I thought we landed one before the relevant engineer left the company, but that apparently didn't happen. I'm less enthusiastic about adding an enterprise exception, as there are real security implications to allowing non-secure pages to overwrite the cookies of secure pages. Closing that hole was the entire point of the changes underway in https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis. Happy to chat offline.
,
Jul 25
Mike, while the original post does highlight the issue it doesn't explain the way it impacts enterprises. Here is a quick walkthrough of the problem: 1. Multiple applications are running under the test.com domain (internally developed and vendor applications). 2. Each major application is scoped to its own subdomain (ex: here.test.com and there.test.com). 3. An HTTPS vendor application running on here.test.com sets a secure cookie that is scoped specifically to that subdomain. 4. An HTTP application running on there.test.com attempts to set a non-secure cookie with a domain of .test.com. 5. The secure cookie set by the here.test.com application will prevent the unrelated non-secure cookie of the same name from being set. 6. This causes the second application to encounter issues until the secure cookie is removed from the cookie store. Within the enterprise environment there are many applications that can step on each other in this way. Especially when dealing with legacy and vendor applications. It makes sense that this is a bug as it allows completely unrelated applications to step on each other's cookie stores just because they run under the same domain. Feel free to contact me to discuss further.
,
Jul 25
The workaround for me in the meantime is to vary the cookie name by the application name, and whether it is https or http. E.g. `foo-app-https`, `foo-app-http`, `bar-app-https`. Most devs will leave their framework-specific cookie names intact though, which causes the problem. The silent-nature of the bug is a killer though. An error would help a lot.
,
Jul 25
vrouesnel: I agree completely with you on that. Was just having a conversation with another dev about exposing this information in DevTools, and filed a bug for it last week (https://crbug.com/856777). Unfortunately, no timeline for it, but I think it should be pretty high priority.
,
Aug 3
This bug has an owner, thus, it's been triaged. Changing status to "assigned".
,
Aug 6
,
Oct 4
(Unassigning myself, marking untriaged in preparation to retriage with folks who will do a better job taking care of cookies than I've been able to)
,
Nov 5
,
Nov 22
**UI mass Triage** Still able to reproduce the issue on all OS using latest canary-72.0.3617.0 as per C#0.As it is non reg issue , adding respective labels. Thanks..! |
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by krajshree@chromium.org
, May 16 2018