[HTTPS-Everywhere] New ruleset and securecookie strangeness
Peter Eckersley
pde at eff.org
Sun Dec 26 06:34:56 PST 2010
Is it possible that the unsecured cookies are being set over HTTP connections?
Perhaps from somethingrandom.national-lottery.co.uk? If there are some
non-HTTPS connections that set cookies, we can't set the secure flags on those
cookies (at least, not without a very high risk of breaking things). So we
don't.
On Sat, Dec 25, 2010 at 06:30:34PM +0000, https-everywhere at lists.grepular.com wrote:
> Hi,
>
> I created a new ruleset for national-lottery.co.uk:
>
> https://github.com/mikecardwell/https-everywhere/commit/34dfd42ed82d41a02cbc290f96326caac932739a
>
> Please pull it.
>
> However, I noticed one strange thing... The ruleset contains:
>
> <securecookie host="^(.+\.)?national-lottery\.co\.uk$" name=".*"/>
>
> I viewed the cookies after logging in and noticed that while most were
> secure, a couple weren't (according to the "Web Developer" Firefox
> addon). The ones which were secure all had the "Host" value set to
> "www.national-lottery.co.uk", but the two which weren't had slightly
> different Host headers both starting with a ".", ie:
>
> .www.national-lottery.co.uk
> .national-lottery.co.uk
>
> Is something broken?
>
> Actually, it's just occurred to me. Does the securecookie tag work for
> cookies that are created using JavaScript or does it merely affect those
> set via HTTP headers?
>
> --
> Mike Cardwell https://secure.grepular.com/ https://twitter.com/mickeyc
> Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
> PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
>
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere
--
--
Peter Eckersley pde at eff.org
Senior Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list