Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Do Mobile Browsers send httpOnly cookies via the HTML5 Audio-Tag?

I try to play some mp3 files via the html5 audio-tag. For the desktop this works great (with Chrome), but when it comes to the mobile browsers (also Chrome (for Android)), there seem to be some difficulties:

I protected the stream with some password an therefore the streaming server needs to find a special authentification cookie (spring security remember-me). But somehow the mobile browser doesn't send this cookie when it accesses the mp3-stream via the audio tag. When I enter the stream URL directly to the address bar everything works just fine.

While I searched for the lost cookie I found out, that the mobile browser still sends some cookies (e.g. the JSESSIONID) but not all. Further investigations (quick PoC with PHP) revealed that the mobile browsern seems to refuse to send cookies via the audio-tag which have the HttpOnly Flag set. So my question is:

Is this a specified behaviour, why are there differences between the mobile and the desktop versions (of Chrome) and is there a way control the behaviour from the client side?

like image 856
JepZ Avatar asked Apr 30 '13 23:04

JepZ


1 Answers

By looking more deeply into the HTTP packages I found out, that the Android browser doesn't request the mp3-stream itself, but delegates this to stagefright (some android multimedia client). A quick search revealed, that for the old Android versions (before 4.0) stagefright cannot handle cookies:

  • https://code.google.com/p/android/issues/detail?id=17553 <-- (Status: spam) WTF...
  • https://code.google.com/p/android/issues/detail?id=17281
  • https://code.google.com/p/android/issues/detail?id=10567
  • https://code.google.com/p/android/issues/detail?id=19958

My own tests confirmed this. The old stagefright (Android 2.3.x) doesn't send any cookies at all, the stagefright from a european S3 (android 4.1.2, stagefright 1.2) sends only the the cookies which do NOT have the httpOnly flag.

So I think that everybody has to decide himself which solution he wants to use:

  • enable httpOnly: android has no access at all but its secure
  • disable httpOnly: less secure against XSS, but works for Android >4.0
  • disable cookie authentication at all: insecure but works for all

Note: The problem with simply disabling httpOnly is that you make your whole application vulnerable to cookie hijackers. Another possible solution would be to have a special rememberme cookie for the stream (without httpOnly) and another rememberme cookie with httpOnly enabled.

like image 111
JepZ Avatar answered Sep 24 '22 05:09

JepZ