[tor-bugs] #5536 [EFF-HTTPS Everywhere]: Incorrect use of setResponseHeader for cookie

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Fri Mar 30 14:19:58 UTC 2012


#5536: Incorrect use of setResponseHeader for cookie
----------------------------------+-----------------------------------------
 Reporter:  mkaply                |          Owner:  pde
     Type:  defect                |         Status:  new
 Priority:  normal                |      Milestone:     
Component:  EFF-HTTPS Everywhere  |        Version:     
 Keywords:                        |         Parent:     
   Points:                        |   Actualpoints:     
----------------------------------+-----------------------------------------
 In the file HTTPS.js, HTTPS Everywhere is attempting to make some cookies
 secure. In particular:


       try {
         var cookies = req.getResponseHeader("Set-Cookie");
       } catch(mayHappen) {
         //this.log(VERB,"Exception hunting Set-Cookie in headers: " +
 mayHappen);
         return;
       }
       if (!cookies) return;
       var c;
       for each (var cs in cookies.split("\n")) {
         this.log(DBUG, "Examining cookie: ");
         c = new Cookie(cs, host);
         if (!c.secure && HTTPSRules.shouldSecureCookie(alist, c)) {
           this.log(INFO, "Securing cookie: " + c.domain + " " + c.name);
           c.secure = true;
           req.setResponseHeader("Set-Cookie", c.source + ";Secure", true);
         }
       }

 While according to the docs, true should merge cookies, what actually is
 happening inside of Firefox is really undetermined (we're seeing problems
 in our addon because of it).

 What you should be doing is:

           req.setResponseHeader("Set-Cookie", c.source + ";Secure",
 false);

 The goal with this code is to replace the non secure cookie with a secure
 cookie. It is not to merge it with the other cookie.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5536>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list