W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2010

Re: Making non-cookie requests to another domain... possible DoS attack by forcing session expiration?

From: Getify <getify@gmail.com>
Date: Wed, 10 Nov 2010 16:43:25 -0600
Message-ID: <4B692E8C6B0E45E8A44B12947D04E38F@spartacus>
To: "public webapps" <public-webapps@w3.org>
> Ah okay. So that would never work. As things tagged with "anonymous",
> XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore 
> Set-Cookie headers.

First of all, a CORS xhr request could be made with credentials (since 
they're available in the view-source JavaScript)... the question is whether 
or not evil.com making such a request (using CORS) against bank.com with 
credentials would in fact cause the SetCookie response header to be 
interpreted by the browser in such a way that the browser's session cookie 
for bank.com would be killed?

Secondly, are we sure that all implementations of CORS xhr are ignoring 
SetCookie headers in the "without credentials" case?

--Kyle 
Received on Wednesday, 10 November 2010 22:44:36 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:41 GMT