Open chlily1 opened 5 years ago
If an attacker is able to inject a NEL header that requests that Cookie headers be sent in the request_headers report field, then any HttpOnly cookies could also be stolen, which would not be possible with a regular header injection attack.
NEL
Cookie
request_headers
Discussed at TPAC, and the sentiment in the room was that we perhaps should simply not send cookies in reports.
If an attacker is able to inject a
NEL
header that requests thatCookie
headers be sent in therequest_headers
report field, then any HttpOnly cookies could also be stolen, which would not be possible with a regular header injection attack.