- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Wed, 16 Jan 2008 04:02:33 +0100
- To: "Anne van Kesteren" <annevk@opera.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
* Anne van Kesteren wrote: >Cookies are already sent for <img>, <script>, and <form> requests. Nothing >new. If people mindless opt in we have might have a problem (though it's >really the people that opt in that do), but I would expect that >dalmationlovers.invalid & co are using some off the shelf software. It's actually all of us who would have a problem if the server is mis- configured as we might be customers of a misconfigured site and incur damages as a result of the misconfiguration (e.g., if we visit a ma- licious site and have data intended only for a trusted site stolen). Sending the cookies may be less a problem than allowing scripts read access to them (e.g., by allowing them to read the Set-Cookie header or the document.cookie property). It's not difficult to imagine people mixing cookies and `allow "*"` resources, which would likely go wrong. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Wednesday, 16 January 2008 03:02:47 UTC