Posted by huli on 2017-03-24

## 悲劇的開始

document.cookie = "csrftoken=11111111; expires=Wed, 29 Mar 2020 10:03:33 GMT; domain=.huli.com; path=/"


## 撥雲見日

1. 其實只有 Chrome 不能寫，Safari, Firefox 都可以
2. Secure 這個 flag 沒有設置的話，就可以寫

## 深入追查

// If the cookie is being set from an insecure scheme, then if a cookie
// already exists with the same name and it is Secure, then the cookie
// should *not* be updated if they domain-match and ignoring the path
// attribute.
//
if (cc->IsSecure() && !source_url.SchemeIsCryptographic() &&
// If the cookie is equivalent to the new cookie and wouldn't have been
// skipped for being HTTP-only, record that it is a skipped secure cookie
// that would have been deleted otherwise.
if (ecc.IsEquivalent(*cc)) {
if (!skip_httponly || !cc->IsHttpOnly()) {
}
}
}


Section 8.5 and Section 8.6 of [RFC6265] spell out some of the
drawbacks of cookies' implementation: due to historical accident,
non-secure origins can set cookies which will be delivered to secure
origins in a manner indistinguishable from cookies set by that origin
itself.  This enables a number of attacks, which have been recently
spelled out in some detail in [COOKIE-INTEGRITY].


csrftoken=cookie_from_test_huli_com; csrftoken=cookie_from_admin_huli_com


## 總結

@huli 野生工程師，相信分享與交流能讓世界變得更美好