Updates how control characters in cookie data are handled. Specifically, the tab character is now permitted, but all other control characters cause the entire cookie to be rejected (previously the \x00, \x0D, and \x0A characters in a cookie line caused it to be truncated instead of rejected entirely, which could have enabled malicious behavior in certain circumstances). This behavior is also in line with the latest drafts of RFC6265bis.
In the case where attacker controlled data is used to set a new cookie, having certain control characters truncate the cookie line could result in security-related cookie attributes being ignored. This behavior may also lead to cookie data corruption when control characters are introduced, which may cause unpredictable behavior on the application side (more so than cookies not being set, which is a case that applications should already handle). This change helps mitigate these concerns, and better aligns the behavior against the spec.
Specification currently under development in a Working Group
Status in Chromium
No active development
Consensus & Standardization
- No signal
- No signal
- No signals
Intent to Prototype urlIntent to Prototype thread
Last updated on 2021-11-30