Closed g-k closed 4 years ago
per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Cookie_prefixes:
Cookies names prefixed with Secure- or Host- can be used only if they are set with the secure directive from a secure (HTTPS) origin. In addition, cookies with the __Host- prefix must have a path of / (meaning any path at the host) and must not have a Domain attribute.
Cookies names prefixed with Secure- or Host- can be used only if they are set with the secure directive from a secure (HTTPS) origin.
In addition, cookies with the __Host- prefix must have a path of / (meaning any path at the host) and must not have a Domain attribute.
spec: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00
refs: https://mozilla.slack.com/archives/C495VS94P/p1578426880009700
i.e. prevent foo.mozilla.org stealing cookies from mozilla.org and per dveditz:
More important is so site doesn't use cookies that were spoofed by a compromised sibling domain.
per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Cookie_prefixes:
spec: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00
refs: https://mozilla.slack.com/archives/C495VS94P/p1578426880009700
i.e. prevent foo.mozilla.org stealing cookies from mozilla.org and per dveditz: