New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 868665 link

Starred by 1 user
Status: Assigned
Owner: ----
Cc:
mkwst@chromium.org
rdevlin....@chromium.org
susan.boorgula@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 3
Type: Bug



Sign in to add a comment

Chrome API chrome.cookies.set allows setting cookies for TLDs

Reported by prakash0...@gmail.com, Jul 28 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36

Steps to reproduce the problem:
1. Create an extension with "cookies" permission for "<all_urls>"
2. Execute the following code and watch your extension's console

```
const domain = 'com';
const cookieName = 'foobar';

chrome.cookies.set({
    url: `http://${domain}`,
    name: cookieName,
    value: 'true',
    domain: domain
}, cookie => {
    console.log('set', domain, cookie);
});
chrome.cookies.get({url: `http://${domain}`, name: cookieName}, cookie => {
    console.log('get', domain, cookie);
});
```

What is the expected behavior?
Error that cookies cannot be set for TLDs

What went wrong?
Cookies got set for TLDs which aren't actually valid domains

Did this work before? N/A 

Chrome version: 68.0.3440.75  Channel: stable
OS Version: 
Flash Version: 

Though, cookies are set as seen by chrome.cookies.get, we cannot see them in requests to other subdomains or in cookie jar.

Comment 1 by mbarbe...@chromium.org, Jul 30

Components: Platform>Extensions>API
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Considering the permission required I don't think this is much of a security concern, but removing view restrictions and keeping it open for now so that other developers can take a look.

Comment 2 by susan.boorgula@chromium.org, Jul 31

Cc: susan.boorgula@chromium.org
Labels: Needs-Triage-M68 Needs-Feedback Triaged-ET
prakash0x00@ Thanks for the issue.

Request you to provide a sample extension where this issue can be reproduced, which will help in further triaging.

Thanks..

Comment 3 by prakash0...@gmail.com, Jul 31 

Here, I am uploading manifest.json and background.js which should be enough to reproduce the issue. Please enable "Developer mode" and load this extension from "Load unpacked".
When the extension is loaded, click on "background inspect", you should observe 2 messages in your console. Then, you can try reloading the extension cookies being set and get for "com" domain.

The code is simple and is trivial to change as you require.
background.js
361 bytes View Download
manifest.json
265 bytes View Download
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 31

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by krajshree@chromium.org, Aug 3

Labels: Target-70 M-70 FoundIn-70 OS-Mac OS-Windows
Status: Untriaged (was: Unconfirmed)
Able to reproduce the issue on Mac 10.13.3, Win-10 and Ubuntu 17.10 using chrome reported version #68.0.3440.84 and latest canary #70.0.3509.0.
This is a non-regression issue as it is observed from M60 old builds. 

Hence, marking it as untriaged to get more inputs from dev team.

Thanks...!!

Comment 6 by rdevlin....@chromium.org, Sep 14

Cc: rdevlin....@chromium.org
Owner: mkwst@chromium.org
Status: Assigned (was: Untriaged)
Assigning to mkwst@ as owner of the cookies API.  Agreed that, while not a security risk, there isn't really any good reason to allow this.

Comment 7 by mkwst@chromium.org, Oct 4

Cc: mkwst@chromium.org
Labels: -Pri-2 Pri-3
Owner: ----
Seems like a thing we should prevent. I do not have bandwidth to fix it, but it would be lovely if someone did.

Sign in to add a comment