document.cookie

spaceelephant · July 12, 2020, 11:24am

How does the XSS protection work? In a request to https://snap.berkeley.edu/snap/snap.html I get a request header

Cookie: snapsession=████████████████████████████████████████████████████████████████████████████████████████████████████████████; persist_session=true

But if I open the console, I get no cookie. I can add other cookies to document.cookie. The x-xss-protection header is not supported by firefox, so it shouldn't do anything.

ego-lay_atman-bay · July 13, 2020, 4:01pm

there are a 2 projects made by different people that have blocks that can set cookies, Snap! Build Your Own Blocks and Snap! Build Your Own Blocks

spaceelephant · July 13, 2020, 9:31pm

I'm asking about how the snap server prevents the snapsession cookie from going in document.cookie, not how to add my own cookies to document.cookie.

dardoro · July 13, 2020, 11:26pm

set-cookie: snapsession=...; httponly;

cycomachead · July 14, 2020, 2:31am

Dan's correct. If you do have that cookie, you can supply it to other requests, but no one should be able to read that cookie via JS.

18001767679 · July 14, 2020, 4:26am

The blocks in the first project is not by me.

ego-lay_atman-bay · July 14, 2020, 2:17pm

I know that, it's another project that I found that have cookie blocks