- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 16 Jan 2008 11:11:21 +0100
- To: "Bjoern Hoehrmann" <derhoermi@gmx.net>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Wed, 16 Jan 2008 04:02:33 +0100, Bjoern Hoehrmann <derhoermi@gmx.net> wrote: > * Anne van Kesteren wrote: >> Cookies are already sent for <img>, <script>, and <form> requests. >> Nothing new. If people mindless opt in we have might have a problem >> (though it's >> really the people that opt in that do), but I would expect that >> dalmationlovers.invalid & co are using some off the shelf software. > > It's actually all of us who would have a problem if the server is mis- > configured as we might be customers of a misconfigured site and incur > damages as a result of the misconfiguration (e.g., if we visit a ma- > licious site and have data intended only for a trusted site stolen). I agree that this is a problem. Though if you share your data through XML you can still solve this yourself. (And typically servers allow you to override HTTP headers as well.) > Sending the cookies may be less a problem than allowing scripts read > access to them (e.g., by allowing them to read the Set-Cookie header > or the document.cookie property). It's not difficult to imagine people > mixing cookies and `allow "*"` resources, which would likely go wrong. This is prevented. (Access to those headers and document.cookie.) -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Wednesday, 16 January 2008 10:08:18 UTC