- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 25 Feb 2025 13:23:29 -0800
- To: Patrick Meenan <patmeenan@gmail.com>
- Cc: רועי ברקאי <roybarkayyosef@gmail.com>, Rory Hewitt <rory.hewitt@gmail.com>, Yoav Weiss <yoav.weiss@shopify.com>, Daniel Stenberg <daniel@haxx.se>, Colin Bendell <colin.bendell@shopify.com>, HTTP Working Group <ietf-http-wg@w3.org>, Anne van Kesteren <annevk@apple.com>
> wouldn't the risks called-out also be a problem with clear-site-data which wipes out all > cookies (including parent and horizontally to peers)? clear-site-data can be abused to DOS a domain: log people out, delete locally-saved settings Deleting specific cookies by name could be used in more subtle attacks on web application logic: turning off features, breaking app consistency, clearing the way so your forged same-name replacement cookies are accepted by the app (harder to generalize, but a much worse problem for some victim sites) -Dan Veditz
Received on Tuesday, 25 February 2025 21:24:00 UTC