Path Abuse in Cookies — Mozilla

Nicolas Derouet reported two problems with cookie handling in Mozilla clients. The first was that the cookie path parameter was not subject to any length checks, and this could be abused to cause the victim’s browser to use excessive amounts of memory while it was running as well as waste the disk space used to store the cookie until it expired. Cookies sent by an HTTP server are limited to a reasonable size by the general limit on the size of an HTTP header, but cookies created programmatically through JavaScript and added using document.cookie could have a path of any length the script could create – potentially several tens of megabytes.