Cookie Setting in via Set Cookie Response Header in iFrames with Opaque URN

Image 1 Image 2 Image 3 Image 4
Here we see a cookie addict trying to see over fences meant to shield vulnerable cookies - iSac, Gemini, December 19, 2024.

CHIPs and iFrame with Opaque URN

Here we try to set a CHIP via a creative rendered in an iframe with opaque URN. The server side code is ofc free to include the CHIP response header, and here the browser is setting it.

Note in particular the difference between the "creative" below, which returns all the headers the server sees and does see the cookie, vs the ff version, where the cookie is set but does not get passed back and forth.

Below the iframe will render, which hits our "creative endpoint" which simply dumps out the data it sees.

  • You can see the handler that makes the creative here.
  • You can see the client side JS here.
  • Note also if you open dev tools, go to the network tab, and then refresh the page, you'll see the requests and headers included. The initial page load will occur with whatever the last Referer Policy was, you'll see the header come back and take effect on the next request; at that point you can find the "creative?id=..." request and see whether the referer was sent, which should be reflected in the results below.

Live Result

Sorry for the bad UI here, scroll down in the Fenced Frame a bit and you'll see the red text indicating no referer, which you can confirm by scrolling through.