Cookies from domain incorrectly served on subdomain

By design Issue #8183708

Details

Author
Christopher F.
Created
Jul 15, 2016
Privacy
This issue is public.
Reports
Reported by 5 people

Sign in to watch or report this issue.

Steps to reproduce

  1. setup a webpage with an iframe in it
  2. domain of iframe should be a subdomain of the top page
  3. drop a cookie from the top page with cookie domain set to the top domain.
  4. view in the dev tools that the subdomain has access to that cookie.

According to RFC 2965, in order to expose cookies to subdomains, cookie domain should include a (.). I.e. sub.site.com can only see a cookie dropped by site.com if the domain attribute is .site.com

Attachments

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Brad E.”

  • That blog post is dated 2009. I assume this doesn’t include the Edge browser?

  • Christopher: The Q2 and Q3 paragraphs include a test link; running in Edge shows that the problem continues to exist in the latest nightly builds of Edge.

    (The responsible code lives in WinINET, the shared network stack underneath both Edge and IE)

  • Microsoft Edge Team

    Changed Assigned To to “Travis L.”

    Changed Assigned To to “Venkat K.”

    Changed Assigned To from “Venkat K.” to “Ivan P.”

    Changed Assigned To from “Ivan P.” to “Matthew C.”

    Changed Status to “By design”

  • So is that a won’t fix? Do we seriously need to get this into ES7 to motivate fixing this decade old bug?

  • RFC 2965 was never really adopted by any browser.

    RFC 6265 is the current RFC and used by most browsers.  Per this RFC the domain attribute ignores leading dots.  The only way to get a cookie constrained to a particular domain is to not have a domain attribute which will cause the hostonly flag to be set.  Edge plans on adding hostonly support (per RFC 6265) in a later release.

    Best,
    The MS Edge Team

  • The only way to get a cookie constrained to a particular domain is to not have a domain attribute which will cause the hostonly flag to be set.

    Just to be clear, this doesn’t work in Internet Explorer. If you just don’t set the domain attribute, then Firefox and Chrome constrain it to the domain. They don’t share it with subdomains. Mozilla documents this: “If not specified, defaults to the host portion of the current document location (but not including subdomains).” — https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

    However, Internet Explorer 11 (and likely all versions before) shares the cookie with subdomains even if you don’t specify a domain.

    So this is a slightly different bug than what was opened. Can this be fixed in Internet Explorer 11, which will go on being supported until 2020 or even 2025? Do you want me to open a new ticket?

  • Andrew, the behavior of Internet Explorer and Edge now matches the standards, as of the April 2018 update. Specifically, a cookie without a |domain| attribute will not be sent to subdomains, matching other browsers. I’ve updated my Internet Explorer Cookie FAQ on MSDN with this information.

You need to sign in to your Microsoft account to add a comment.

Sign in