Updates how control characters in cookie data are handled. Specifically, the tab character is now permitted, but all other control characters cause the entire cookie to be rejected (previously the \x00, \x0D, and \x0A characters in a cookie line caused it to be truncated instead of rejected entirely, which could have enabled malicious behavior in certain circumstances). This behavior is also in line with the latest drafts of RFC6265bis.
Motivation
In the case where attacker controlled data is used to set a new cookie, having certain control characters truncate the cookie line could result in security-related cookie attributes being ignored. This behavior may also lead to cookie data corruption when control characters are introduced, which may cause unpredictable behavior on the application side (more so than cookies not being set, which is a case that applications should already handle). This change helps mitigate these concerns, and better aligns the behavior against the spec.
Specification
Specification currently under development in a Working Group
Status in Chromium
No active development
(tracking bug)
Consensus & Standardization
- No signal
- No signal
- No signals
Owners
Intent to Prototype url
Intent to Prototype threadLast updated on 2021-11-30