Reputation: 5805
Is Path attribute of cookies secure against JavaScript?
My JavaScript application may be run in a subfolder at a strange web server.
Is setting Path attribute of a cookie secure enough to prevent stealing secret data (with money!) from a user for whom I set the cookie by programmers managing other folders of the same server?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies :
The
Pathattribute indicates a URL path that must exist in the requested URL in order to send the Cookie header.
Here it's said nothing about that the path must exist also in the requested URL also in order to allow JavaScript code of this path to retrieve the cookie.
Is it also secure when JavaScript History API is used to change the URL of the page without reloading?
Upvotes: 1
Views: 420
Answers (1)
Reputation: 5805
It is not secure:
https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie#Security :
It is important to note that the
pathattribute does not protect against unauthorized reading of the cookie from a different path. It can be easily bypassed using the DOM, for example by creating a hidden<iframe>element with the path of the cookie, then accessing this iframe'scontentDocument.cookieproperty. The only way to protect the cookie is by using a different domain or subdomain, due to the same origin policy.
Upvotes: 2
Related Questions
- How to get cookie's path using javascript
- Javascript - Security of document.cookie
- JS Cookie for multiple paths
- javascript COOKIE - how to add path=/?
- How do I set path while saving a cookie value in JavaScript?
- Javascript setting cookies with path=/
- Is it safe to set cookie with unquoted path?
- Is letting users access cookies through javascript a security issue
- Set Cookie Path
- Set Cookie Path JavaScript