W3C home > Mailing lists > Public > public-html-comments@w3.org > January 2008

frame.cookie: useless, security risk

From: <tep4i6o02@sneakemail.com>
Date: 24 Jan 2008 12:40:20 -0000
To: public-html-comments@w3.org
Message-ID: <24638-32341@sneakemail.com>

>From the draft spec ( http://www.w3.org/TR/html5/ ):

'Since the cookie attribute is accessible across frames, the path restrictions on cookies are only a tool to help manage which cookies are sent to which parts of the site, and are not in any way a security feature. '

Since frame access is subject to same-origin rules, the only domain one could get cookies from this way, would be... the same domain as oneself! What is the use of this?

As specified, it is nothing more than a security risk as it negates cookie path restrictions. Why not just specify: Accessing cookies from any other HTMLDocument than the current one causes an exception.

NB. the email address is real, but I'm not on the list, so please cc on replies.
Received on Thursday, 24 January 2008 12:53:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 1 June 2011 00:13:58 GMT