Comments (6)
I have recently learned about cookie prefixes and their usefulness.
I was surprised observatory did not check them.
It seems that Safari (at least recently) also supports these prefixes.
Is there interest for giving a small bonus score, if cookies additionally use these prefixes?
I am not a python developer, but I could give this a try over the Holidays, if there would be a willingness to merge this.
References:
Mozilla Infosec Guidelines, not marked experimental anymore like in the Mozilla wiki
MDM1
MDM2
from http-observatory.
Yep, they were on the docket, but there had been so many changes to the spec that I wanted to wait until it was a bit more set in stone. But the eventual plan is to give +5 for using these prefixes. :)
from http-observatory.
Good point, the prefix was recently changed (Nov 2015) to use double underscores (rather than a dollar sign, which caused a couple of problems).
But as far as I can tell, this is the final version (and is implemented in Google Chrome).
Further discussion at:
https://twitter.com/tbroyer/status/670779401135616000
from http-observatory.
Note that our own guidelines talk about this:
https://wiki.mozilla.org/User:Apking/Web_Security_Guidelines#Cookies
Are you aware if anybody besides Chrome has implemented this yet?
from http-observatory.
Not yet, but I have created feature requests for Safari and IE:
https://bugs.webkit.org/show_bug.cgi?id=158730
from http-observatory.
Actually the prefix is still ugly as the -
causes problems.
So personally I hope the standard changes again...
from http-observatory.
Related Issues (20)
- HTTP to HTTPS redirection not validated on subdomain HOT 2
- CSP help HOT 6
- How to rescan a website automatically trough cli? HOT 1
- Subresource Integrity warning for scripts with data-uri
- hsts-preloaded not taken into account HOT 7
- Not Working for localhost website HOT 2
- Content Security Policy (CSP) implemented unsafely HOT 1
- Update Observatory's user agent HOT 3
- Don't recommend "Deny by default" when prefetch-src is experimental
- Use "raw" headers when parsing CSP
- Allow multiple headers when parsing CSP HOT 7
- Can't run it on ARM Mac HOT 2
- FAQ links to non-existent site (htbridge.com/ssl) HOT 1
- database-down HOT 3
- .
- Installation Error (Error in anyjson package.) HOT 1
- CSP in <meta> is not analyzed when sent together with CSP in header HOT 2
- mozilla
- Blank http-equiv causes CSP test to fail with 'csp-header-invalid'
- requires.io is gone HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from http-observatory.