Skip to content

Exclude attacker-planted-cookie attacks from the threat model#1314

Merged
lovasoa merged 1 commit into
mainfrom
ophir.lojkine/security-exclude-cookie-planting
Jun 10, 2026
Merged

Exclude attacker-planted-cookie attacks from the threat model#1314
lovasoa merged 1 commit into
mainfrom
ophir.lojkine/security-exclude-cookie-planting

Conversation

@lovasoa

@lovasoa lovasoa commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Documents that attacks requiring the attacker to write cookies into the victim's browser are out of scope.

This is the precondition behind the OIDC login-CSRF / session-fixation class (forged sqlpage_oidc_state_* cookie). Signing the cookie does not close it (an attacker can copy a validly server-signed cookie from their own flow), and a server-side one-time state store does not either (the attacker's state is validly issued and consumed once by the victim). The realistic defense is cookie-injection hardening, but defending against an attacker who can already write cookies to the exact origin is not something SQLPage can guarantee.

Adds one bullet to the Out of Scope list in SECURITY.md. Docs only.

@lovasoa
Exclude attacker-planted-cookie attacks from the threat model
40d9f93 
Attacks that require injecting attacker-chosen cookies into the victim's
browser (e.g. OIDC login CSRF / session fixation via a forged login-flow
-state cookie) are out of scope: SQLPage assumes its origin cookie jar is
writable only by the user agent.
@lovasoa lovasoa merged commit fe13e4a into main Jun 10, 2026
15 checks passed
@lovasoa lovasoa deleted the ophir.lojkine/security-exclude-cookie-planting branch June 10, 2026 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lovasoa