- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 22 Feb 2008 21:47:01 -0800
- To: Brad Porter <bwporter@yahoo.com>
- Cc: "Close, Tyler J." <tyler.close@hp.com>, "WAF WG (public)" <public-appformats@w3.org>
Brad Porter wrote: > We should remember that non-malicious cross-site-requests with cookies > go on all the time. A simple peek at your cookie store (or turning on > accept/reject of cookies) will show that many sites make > cross-site-requests with cookies all the time. Banner ads on the web > work entirely based on cross-site GET requests with cookies. There is > no same-origin policy for cross-site IMG, FRAME, etc requests with cookies. As I outlined in my "to cookie or not to cookie" email, the concern isn't that new attack vectors are introduced. The concern is that servers will enable access control without realizing what it means. / Jonas
Received on Saturday, 23 February 2008 05:47:37 UTC