Re: Mozilla security review of Access Control

Can you illuminate more clearly what the unintended consequence is for the server maintainer is caused by sending the cookies with the request?

--Brad
(Sent from mobile device)

On Feb 22, 2008, at 9:47 PM, Jonas Sicking <jonas@sicking.cc> wrote:

Brad Porter wrote:
We should remember that non-malicious cross-site-requests with cookies go on all the time.  A simple peek at your cookie store (or turning on accept/reject of cookies) will show that many sites make cross-site-requests with cookies all the time.  Banner ads on the web work entirely based on cross-site GET requests with cookies.  There is no same-origin policy for cross-site IMG, FRAME, etc requests with cookies.

As I outlined in my "to cookie or not to cookie" email, the concern isn't that new attack vectors are introduced. The concern is that servers will enable access control without realizing what it means.

/ Jonas

Received on Saturday, 23 February 2008 06:02:16 UTC