Thoughts on letting CSP govern attributes that must appear in Set-Cookie #152
Description
I realise this is mostly contrary to what CSP is conventionally: a whitelist. Though there are a few exceptions, notably block-all-mixed-content, which only performs blocking if proactively enabled.
CSP has all sorts of directives controlling to where the page is allowed to communicate, though if an attacker on the network can exploit an XSS vuln, then they could exfiltrate data from the page via a deliberately insecurely set cookie.
Okay, so that's the extreme example.
More usefully, I wonder whether an application owner may simply want to specify a list of cookie names that it wishes to ensure are set with the secure and/or HttpOnly flags, or not at all (or possibly auto-upgrade them). I can imagine a few examples where cookies are set in various places throughout code, and the application owner simply wishes to ensure that some known authentication cookies are always set securely, and out of the hands of JS.
PS. I also note that CSP is parsed before Set-Cookie here (https://w3c.github.io/webappsec-csp/#fetch-integration), so perhaps this wouldn't be too in-plausible a change?