Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False positive: cs/web/broad-cookie-domain for Domain = null or "" #15168

Open
johnaceous opened this issue Dec 19, 2023 · 0 comments
Open

False positive: cs/web/broad-cookie-domain for Domain = null or "" #15168

johnaceous opened this issue Dec 19, 2023 · 0 comments

Comments

@johnaceous
Copy link

johnaceous commented Dec 19, 2023

cs/web/broad-cookie-domain is triggered when creating a System.Web.HttpCookie with Domain=null, but should not report. I believe it would also trigger when Domain="", and I believe that would also be a false positive, but I have not tested that.

According to MDN:

If the server does not specify a Domain, the cookies are available on the server but not on its subdomains. Therefore, specifying Domain is less restrictive than omitting it.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#domain_attribute

In System.Web.HttpCookie, setting Domain=null ensures that the server will omit the cookie (which is more restrictive), otherwise it may default to some arbitrary value from the web.config.

Code samples or links to source code

Microsoft Reference Source for System.Web.HttpCookie where the domain= string is ommitted if Domain=null or Domain="":
https://github.com/microsoft/referencesource/blob/51cf7850defa8a17d815b4700b67116e3fa283c2/System.Web/HttpCookie.cs#L460-L463

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant