2

tl;dr, an XHR client in domain A is sending a request to a server in domain B, server responds with a Set-Cookie with Domain=A (the client's domain, the XHR's Origin), all CORS headers set correctly, should it work?

It's well known that one can't set a cookie to another domain. ( How to set a cookie for another domain

However given the following scenario:

Actors:

Client in domain A, a web based client

Server in domain B, setup with CORS headers permitting A as origin, including Access-Control-Allow-Credentials set to true

Communication flow 1 (baseline):

  1. Client is issuing a simple GET request to the Server
  2. Server responds with a cookie, and sets the Domain property to be of the server (Domain=B)
  3. Client is sending another HXR request and has withCredentials=true
  4. The cookie is sent back to the server without any issues

Note: the cookie sent in step #1 is not showing in document.cookies, even if it was not set as httpOnly (since it doesn't belong to the client's domain). Also attempts to get it from the xhr via looking at the "Set-Cookie" header, you'll be blocked, by design: https://fetch.spec.whatwg.org/#forbidden-response-header-name it will even won't show in Chrome dev tools under the network tab! but it will still be sent)

Communication flow 2 (my question):

  1. Client is issuing a simple GET request to the Server
  2. Server responds with a cookie, but sets the Domain property to be of the client (Domain=A)
  3. Client is sending an HXR request and has withCredentials=true
  4. The cookie is not sent back and doesn't seem to be stored anywhere

Why am I a bit surprised? Since the XHR origin is A and it requests something that sets the cookie to domain A (if I look in Postman I clearly see the Set-Cookie header being sent with Domain being the same as the request's Origin), and I have the most permissive CORS setting for that, what's the reasoning behind not letting me do it? (I was expecting it to fail, but still made me wonder)

Questions

  1. Where is the best place in the spec/RFC that it clarifies that this won't work also for XHR where the cookie Domain equals the Origin

  2. What is the attack vector in scenario 2 if theoretically the browser did allow the server to store the cookie if and only if the Origin is the same as the cookie Domain and the CORS origin allows that Origin.

  3. Is there another way to make it work? Maybe it works but my POC was setup incorrectly?

Appendix: Reasoning

I'm looking for a way to have a cross origin CSRF using something like the Cookie to header token method, but due to the cross origin issue, it seems that it's impossible. The only workaround I thought of is sending the CSRF token as a header from the server, then the client can just save it as a cookie it can access later, is there any other way to do it? Is this considered secure?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Eran Medan
  • 44,555
  • 61
  • 184
  • 276
  • A related question I asked on security.stackexchange.com: https://security.stackexchange.com/questions/203890/how-to-implement-csrf-protection-with-a-cross-origin-request-cors – Eran Medan Feb 20 '19 at 02:57
  • 1
    Off-topic: re your question https://physics.stackexchange.com/questions/547039/ See https://cp3.irmp.ucl.ac.be/~maltoni/PHY1222/mermin_moon.pdf for a discussion answering your question. In conclusion, from page 9, "There is no conceivable way to assign such instruction sets to the particles from one run to the next that can account for the fact that in all runs taken together, without regard to how the switches are set, the same colors flash half the time." And, of course, read the surrounding material for a complete discussion of the ideas and formalism leading up to that. – John Forkosh Apr 27 '20 at 06:45
  • @JohnForkosh haha, thanks! appreciate it. – Eran Medan Apr 27 '20 at 20:12

1 Answers1

3

A resource can only set cookies for its host's registrable domain. If Facebook were to use Google Fonts, and Google could use that to override Facebook cookies, that'd be pretty disastrous.

As for where this is defined, step 5 and 6 of https://www.rfc-editor.org/rfc/rfc6265#section-5.3 handle this. (Fetch largely defers to this RFC when it comes to interpreting the Set-Cookie header on responses.)

Community
  • 1
  • 1
Anne
  • 7,070
  • 1
  • 26
  • 27