[tor-bugs] #3766 [EFF-HTTPS Everywhere]: securecookie has no effect for cookies set by JavaScript
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Oct 11 16:20:00 UTC 2011
#3766: securecookie has no effect for cookies set by JavaScript
----------------------------------+-----------------------------------------
Reporter: inkerman | Owner: pde
Type: defect | Status: accepted
Priority: major | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
Comment(by haviah):
I've tested said commit from https://gitweb.torproject.org/mikeperry
/https-everywhere.git/commit/42995e67ac1d9cedc1af1cace7a4b8b821119a6f on
FF 7.0.1/Linux/i686. Does not work for cookies set by javascript. Here's
the fix. I'll post patch shortly.
1. Starting from line "subject.QueryInterface(Ci.nsIArray)", there are
few typos in https-everywhere.js, the "Ci" in "Ci.nsIArray",
"Ci.nsICokie2", etc. should be capitalized to "CI.nsIArray".
2. in HTTPS.js, handleInsecureCookieEvent should be called
handleInsecureCookie (the callers call it by this name)
3. Some braindead cookies have expiry after end of universe and everything
4. in HTTPS.js, handleInsecureCookie should use "nsICookieManager2"
instead of:
{{{
var cookieManager = Components.classes["@mozilla.org/cookiemanager;1"]
.getService(Components.interfaces.nsICookieManager);
}}}
Use following rule as testcase:
{{{
<ruleset name="Reddit.com (custom)">
<target host="reddit.com" />
<target host="www.reddit.com" />
<target host=".reddit.com" />
<target host="thumbs.reddit.com" />
<target host="pixel.reddit.com" />
<target host="static.reddit.com" />
<securecookie host="^(.*\.)?reddit\.com$" name=".*" />
<rule from="^http://(www\.)?reddit\.com/" to="https://www.reddit.com/"/>
<rule from="^http://thumbs\.reddit\.com/"
to="https://thumbs.reddit.com/"/>
<rule from="^http://pixel\.reddit\.com/"
to="https://pixel.reddit.com/"/>
<rule from="^http://static\.reddit\.com/"
to="https://static.reddit.com/"/>
</ruleset>
}}}
Go to reddit.com (note that it has bad CNs in many of the certs, just add
temporary exception for testing sake). Originally only "reddit_session"
and "reddit_first" cookies were turned to secure by the HTTP headers
rewriting.
'''Important note''': many sites use ".host.net" for domain name of
cookies. That breaks rules which have targets like "www.something.com",
"blabla.something.com", but not "*.something.com" in the target XML
element (notice the line saying {{{<target host=".reddit.com">}}}). That's
what brough me to this bug. (FF API javascript simply handles the
".something.com" as cookie domain). I haven't seen notice about such
quirk, maybe it should be added to rule creation documentation.
Yay, my first non-trivial FF extension bug fixed! (Rant: I really can't
shake the idea that some FF API developers must really hate FF extension
developers. At least Venkman helps if one swears a lot at it while
enumerating possible ways to get it actually break at the right place and
do a proper step-over. So kudos for the effort put into HTTPS Everywhere).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3766#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list