document.cookie

spaceelephant · July 12, 2020, 11:24am

How does the XSS protection work? In a request to https://snap.berkeley.edu/snap/snap.html I get a request header

Cookie: snapsession=████████████████████████████████████████████████████████████████████████████████████████████████████████████; persist_session=true

But if I open the console, I get no cookie. I can add other cookies to document.cookie. The x-xss-protection header is not supported by firefox, so it shouldn't do anything.

ego-lay_atman-bay · July 13, 2020, 4:01pm

there are a 2 projects made by different people that have blocks that can set cookies, https://snap.berkeley.edu/snap/snap.html#present:Username=18001767679&ProjectName=cookies---yum!&editMode&noRun and https://snap.berkeley.edu/snap/snap.html#present:Username=arjhantoteck&ProjectName=Cookie%20Saving&editMode&noRun

spaceelephant · July 13, 2020, 9:31pm

I'm asking about how the snap server prevents the snapsession cookie from going in document.cookie, not how to add my own cookies to document.cookie.

dardoro · July 13, 2020, 11:26pm

set-cookie: snapsession=...; httponly;

cycomachead · July 14, 2020, 2:31am

Dan's correct. If you do have that cookie, you can supply it to other requests, but no one should be able to read that cookie via JS.

18001767679 · July 14, 2020, 4:26am

The blocks in the first project is not by me.

ego-lay_atman-bay · July 14, 2020, 2:17pm

I know that, it's another project that I found that have cookie blocks