W3C home > Mailing lists > Public > public-html-comments@w3.org > January 2008

Re: frame.cookie: useless, security risk

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 24 Jan 2008 17:00:50 +0100
To: tep4i6o02@sneakemail.com, public-html-comments@w3.org
Message-ID: <op.t5fyrona64w2qv@annevk-t60.oslo.opera.com>

On Thu, 24 Jan 2008 13:40:20 +0100, <tep4i6o02@sneakemail.com> wrote:
>> From the draft spec ( http://www.w3.org/TR/html5/ ):
> 'Since the cookie attribute is accessible across frames, the path  
> restrictions on cookies are only a tool to help manage which cookies are  
> sent to which parts of the site, and are not in any way a security  
> feature. '
> Since frame access is subject to same-origin rules, the only domain one  
> could get cookies from this way, would be... the same domain as oneself!  
> What is the use of this?

NB: This is my personal view. (All other e-mails I sent to this list (and  
have sent) are also my personal view unless noted otherwise.)

What the draft is pointing out here is that if multiple authors, say  
author A and B, share a domain A can't protect his cookies from B. If A  
has http://example.org/author/A/ and B has http://example.org/author/B/  
author A could simply inject an <iframe> in his web space that loads the  
site of author B and then "steals" cookie data because same-origin frame  
communication is allowed.

> As specified, it is nothing more than a security risk as it negates  
> cookie path restrictions. Why not just specify: Accessing cookies from  
> any other HTMLDocument than the current one causes an exception.

Because you can't really tell which document is accessing it if you use  
some other variable in the iframe first to store the cookie value in and  
then read that variable, etc.

Anne van Kesteren
Received on Thursday, 24 January 2008 15:57:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:24 UTC