Cookie isolation error
- June 21, 2011
- David Chan
- Firefox, Thunderbird
- Fixed in
- Firefox 3.6.18
- Thunderbird 3.1.11
Mozilla security researcher David Chan reported
that cookies set for
example.com. (note the trailing dot)
example.com were treated as interchangeable. This is
a violation of same-origin conventions and could potentially lead to
leakage of cookie data to the wrong party.
This issue did not affect Firefox 4, SeaMonkey 2.1, or newer Mozilla-based products.