W3C home > Mailing lists > Public > public-wsc-wg@w3.org > November 2007

document.cookie

From: Cristian Serban \(Romania\) <Cristian.Serban@betfair.com>
Date: Mon, 12 Nov 2007 11:19:04 +0200
Message-ID: <A8412547DF87884E823EB002F40951E112D30E@rom2mail01.rom.betfair.local>
To: <public-wsc-wg@w3.org>
Hi dudes,

I have my first proposal(recommendation), it might be too late or it
might not be adequate for the group or it might not be valid but I say
it anyway, and see your response.

My proposal is regarding the javascript accessing the browser API
function document.cookie.

I would say that the document.cookie should be treated by the browser as
sensitive information and should not be given away to anybody asking for
it. 

In the majority of current web applications the cookie is used to
session and authentication ticket persistent, although it can be used to
other features, like user tracking, preference maintenance. 

In none of this cases the document.cookie is not really needed to be
accessed by javascript. 

By denying access to document.cookie a vast majority of session
hijacking through XSS attacks could be prevented.

So I would propose one of the following:

-          when javascript accesses document.cookie browser API function
the user should be alerted that a call to document.cookie(which is a
sensitive session information) is being made by javascript, and this
might be a means to session hijacking and should continue only if is
sure that the page is clean, or else they should logout immediately and
come back to this page only after they verified it. Or something close
to this message, better formatted.

-          The document.cookie should be removed from the browser API. I
don't see enough reasons why this is needed, maybe Yngve or other guys
working on browsers can tell us why is this really needed.

Thanks,

 

Cristian Serban

------------------------------------------------------------------------
---------------------

Software Engineer, Betfair

 

Office: +40 364 413759
Betfair extension:  3759
Fax: +40 364 409443
Yahoo! Messenger: scrissti 
Please consider the environment before printing
Betfair Limited | 2-12 Somesului | Cluj Napoca |
The information in this e-mail and any attachment is confidential and is
intended only for the named recipient(s). The e-mail may not be
disclosed or used by any person other than the addressee, nor may it be
copied in any way. If you are not a named recipient please notify the
sender immediately and delete any copies of this message. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden. Any view or opinions presented are solely
those of the author and do not necessarily represent those of the
company. 

Betfair (r) and the BETFAIR LOGO are registered trade marks of The
Sporting Exchange Limited.

 


________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________
Received on Monday, 12 November 2007 09:20:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:53 GMT