Cookie leaking between domains

[sami-sweng]

If domain-a tries to set a cookie for domain-b, the cookie shouldn't actually be set and sent to domain-b, when the browser does a call there.

Here is a sample displaying the issue.

setupServer(testClient);


// ---------- Setup server

function setupServer(callback) {
    const express = require('express');
    const app = express();

    app.get('/api/v1/test-set-cookies', function (req, res) {
        res.append('Set-Cookie', 'my-precious-cookie=my-secret-info-hehehe; path=/; HttpOnly; Domain=.domain-b.com');

        res.json({ ok: true });
    });

    app.get('/api/v1/test-get-cookies', function (req, res) {
        console.log('test-get-cookies', req.headers);

        res.json(req.headers);
    });

    const server = app.listen('8080', function () {
        console.log(server.address());
        callback();
    });
}


// ----------------- Test client

async function testClient() {
    const assert = require('assert');

    const Browser = require('zombie');

    const browser = new Browser({
        waitDuration: '30s',
        debug: true,
        runScripts: true
    });

    await browser.visit('http://www.domain-a.com:8080/api/v1/test-set-cookies');

    await browser.visit('http://www.domain-b.com:8080/api/v1/test-get-cookies');

    assert.equal(browser.text('body').includes('my-secret-info-hehehe'), false);
}

The sample requires express and obviously zombie.

It also requires adding

127.0.0.1 www.domain-a.com
127.0.0.1 www.domain-b.com

in /etc/hosts.

---

Notes:

1. Running the server part only and making the two requests in either Chrome or Firefox doesn't display this behavior. This is what made me believe that Zombie might be too permissive.
2. The sample should be transformable to a test case pretty easily.

[sami-sweng]

I believe that what value for Domain would make a cookie be accepted or rejected is refined in the RFC 2675