Clear-site-data: cookies facilitates malicious cookie flushing by sibling domains

[dveditz]

Currently the definition of Clear-Site-Data: cookies will clear all cookies from a 'registered domain' (public suffix + 1), which can clear the cookies from sibling origins a site cannot otherwise clear with a Set-Cookie: header. Using normal cookie headers a site can clear domain cookies for ancestor domains (which might mess up affiliated sibling domains), but not sibling domains directly. Nor can Set-Cookie clear host cookies for any origin except itself.

Depending on the particular browser's quota approach a malicious domain might be able to create enough cookies to flush those from a sibling domain, but that's an implementation detail and doesn't have to be the case.

If a sibling domain's cookies can be cleared maliciously it makes it easier to perform session fixation attacks by setting cookies on a mutual ancestor domain.

Clear-site-data: cookies should only clear the cookies for domains that could be specified in a Set-Cookie header domain parameter. If it's legit to clear all cookies below a parent, a site should have to issue the command from the parent for much the same reasons HSTS includesubdomains has to be issued from the parent.

I'm on the fence about whether Clear-Site-Data should be allowed to clear host cookies for subdomains. Probably OK? Don't think it's right for ancestors though.

[JannisBush]

Shouldn't this be mentioned under security considerations?