add option to set cookies hostOnly property
Open, Needs TriagePublicFeature
Actions

Assigned To

None

Authored By

	adrelanos
	Dec 14 2022, 6:37 PM

Description

Feature summary

Option to set cookies using hostOnly property.

Quote https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/cookies/Cookie

A boolean, true if the cookie is a host-only cookie (i.e. the request's host must exactly match the domain of the cookie), or false otherwise.

For example, hostOnly protects example.com cookies from being read by bar.example.com according to my understanding.

Since MediaWiki supports httpOnly, sameSite already, this seems a good fit for completeness of cookie security features.

Use case(s) / Benefits

Better security, privacy and defense in depth as in it might prevent yet unknown attack vectors.

Related Objects

Mentioned In: T325663: Audit use of cookies #2
Mentioned Here: T242661: Use __Host- prefixed cookies for MediaWiki session cookies

Event Timeline

adrelanos created this task.Dec 14 2022, 6:37 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 14 2022, 6:37 PM

adrelanos updated the task description. (Show Details)Dec 14 2022, 6:39 PM

@adrelanos: Hi, which codebase is this about? MediaWiki core itself?

Yes, I think so.

This would be similar to $wgCookieHttpOnly.

Aklapper added a project: MediaWiki-General.Dec 16 2022, 6:18 PM

adrelanos mentioned this in T325663: Audit use of cookies #2.Jul 16 2023, 10:40 AM

Host-only is not a flag, it's a cookie name prefix (MDN docs). It's not strictly impossible to control it via a $wg* flag that is separate from $wgCookiePrefix, but it could get confusing.

The related MediaWiki task is T242661: Use __Host- prefixed cookies for MediaWiki session cookies.

add option to set cookies hostOnly propertyOpen, Needs TriagePublicFeatureActions

Description

Related Objects

Event Timeline

add option to set cookies hostOnly property
Open, Needs TriagePublicFeature
Actions