[tor-bugs] #7492 [EFF-HTTPS Everywhere]: [CHROME] Do not flag cookies from HTTP origins as "secure"

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Mar 7 02:58:49 UTC 2013 

#7492: [CHROME] Do not flag cookies from HTTP origins as "secure"
----------------------------------+-----------------------------------------
 Reporter:  pde                   |          Owner:  mikeperry
     Type:  defect                |         Status:  new      
 Priority:  critical              |      Milestone:           
Component:  EFF-HTTPS Everywhere  |        Version:           
 Keywords:                        |         Parent:           
   Points:                        |   Actualpoints:           
----------------------------------+-----------------------------------------
Changes (by pde):

 * cc: dtauerbach (added)


Comment:

 I spent a couple of hours today on this.  Work in progress is in
 [https://gitweb.torproject.org/pde/https-everywhere.git/log/refs/heads
 /chrome-cookiefix this branch].

 But I'm really perplexed by what's been going on in
 [https://gitweb.torproject.org/pde/https-
 everywhere.git/blob/7d51c7dcf570b177fa76bfd42cba010232245c09:/chromium/background.js
 background.js] in [https://gitweb.torproject.org/pde/https-
 everywhere.git/blob/7d51c7dcf570b177fa76bfd42cba010232245c09:/chromium/background.js#l200
 onBeforeSendHeaders] and [https://gitweb.torproject.org/pde/https-
 everywhere.git/blob/7d51c7dcf570b177fa76bfd42cba010232245c09:/chromium/background.js#l169
 onHeadersReceived].  onHeadersReceived makes sense to me; it looks like a
 straightforward test to see whether a newly set cookie
 should be secured, modulo the apparent bug that it didn't check whether
 the protocol was HTTPS before securing the cookie.

 onBeforeSendHeaders looks is weirder.  If I had to interpret what it does,
 it looks like a reimplementation of the idea of secure cookies at all: ie,
 figure out if you want a cookie to be secure and if you do, delete it from
 outgoing HTTP (non-S) requests.  Git blame tells me that it's Aaron's
 fault, though I'm not sure if he was just committing something Mike had
 written.  Are we in the business of reimplementing the secure cookie flag
 because of a race condition?  Or for some other reason?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7492#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list