Re: ISSUE 19: Requirements and Usage Scenarios document

* Anne van Kesteren wrote:
>Cookies are already sent for <img>, <script>, and <form> requests. Nothing  
>new. If people mindless opt in we have might have a problem (though it's  
>really the people that opt in that do), but I would expect that  
>dalmationlovers.invalid & co are using some off the shelf software.

It's actually all of us who would have a problem if the server is mis-
configured as we might be customers of a misconfigured site and incur
damages as a result of the misconfiguration (e.g., if we visit a ma-
licious site and have data intended only for a trusted site stolen).

Sending the cookies may be less a problem than allowing scripts read
access to them (e.g., by allowing them to read the Set-Cookie header
or the document.cookie property). It's not difficult to imagine people
mixing cookies and `allow "*"` resources, which would likely go wrong.
Björn Höhrmann · ·
Weinh. Str. 22 · Telefon: +49(0)621/4309674 ·
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · 

Received on Wednesday, 16 January 2008 03:02:47 UTC