- From: Cristian Serban \(Romania\) <Cristian.Serban@betfair.com>
- Date: Mon, 12 Nov 2007 11:19:04 +0200
- To: <public-wsc-wg@w3.org>
- Message-ID: <A8412547DF87884E823EB002F40951E112D30E@rom2mail01.rom.betfair.local>
Hi dudes, I have my first proposal(recommendation), it might be too late or it might not be adequate for the group or it might not be valid but I say it anyway, and see your response. My proposal is regarding the javascript accessing the browser API function document.cookie. I would say that the document.cookie should be treated by the browser as sensitive information and should not be given away to anybody asking for it. In the majority of current web applications the cookie is used to session and authentication ticket persistent, although it can be used to other features, like user tracking, preference maintenance. In none of this cases the document.cookie is not really needed to be accessed by javascript. By denying access to document.cookie a vast majority of session hijacking through XSS attacks could be prevented. So I would propose one of the following: - when javascript accesses document.cookie browser API function the user should be alerted that a call to document.cookie(which is a sensitive session information) is being made by javascript, and this might be a means to session hijacking and should continue only if is sure that the page is clean, or else they should logout immediately and come back to this page only after they verified it. Or something close to this message, better formatted. - The document.cookie should be removed from the browser API. I don't see enough reasons why this is needed, maybe Yngve or other guys working on browsers can tell us why is this really needed. Thanks, Cristian Serban ------------------------------------------------------------------------ --------------------- Software Engineer, Betfair Office: +40 364 413759 Betfair extension: 3759 Fax: +40 364 409443 Yahoo! Messenger: scrissti Please consider the environment before printing Betfair Limited | 2-12 Somesului | Cluj Napoca | The information in this e-mail and any attachment is confidential and is intended only for the named recipient(s). The e-mail may not be disclosed or used by any person other than the addressee, nor may it be copied in any way. If you are not a named recipient please notify the sender immediately and delete any copies of this message. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Any view or opinions presented are solely those of the author and do not necessarily represent those of the company. Betfair (r) and the BETFAIR LOGO are registered trade marks of The Sporting Exchange Limited. ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________
Received on Monday, 12 November 2007 09:20:15 UTC