You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cs/web/broad-cookie-domain is triggered when creating a System.Web.HttpCookie with Domain=null, but should not report. I believe it would also trigger when Domain="", and I believe that would also be a false positive, but I have not tested that.
According to MDN:
If the server does not specify a Domain, the cookies are available on the server but not on its subdomains. Therefore, specifying Domain is less restrictive than omitting it.
In System.Web.HttpCookie, setting Domain=nullensures that the server will omit the cookie (which is more restrictive), otherwise it may default to some arbitrary value from the web.config.
cs/web/broad-cookie-domain is triggered when creating a System.Web.HttpCookie with
Domain=null, but should not report. I believe it would also trigger whenDomain="", and I believe that would also be a false positive, but I have not tested that.According to MDN:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#domain_attribute
In System.Web.HttpCookie, setting
Domain=nullensures that the server will omit the cookie (which is more restrictive), otherwise it may default to some arbitrary value from the web.config.Code samples or links to source code
Microsoft Reference Source for System.Web.HttpCookie where the
domain=string is ommitted ifDomain=nullorDomain="":https://github.com/microsoft/referencesource/blob/51cf7850defa8a17d815b4700b67116e3fa283c2/System.Web/HttpCookie.cs#L460-L463
The text was updated successfully, but these errors were encountered: