W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: ISSUE 19: Requirements and Usage Scenarios document

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 16 Jan 2008 04:02:33 +0100
To: "Anne van Kesteren" <annevk@opera.com>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <n8pqo3djcnrrq256g4gkhls6ss99ds8evl@hive.bjoern.hoehrmann.de>

* Anne van Kesteren wrote:
>Cookies are already sent for <img>, <script>, and <form> requests. Nothing  
>new. If people mindless opt in we have might have a problem (though it's  
>really the people that opt in that do), but I would expect that  
>dalmationlovers.invalid & co are using some off the shelf software.

It's actually all of us who would have a problem if the server is mis-
configured as we might be customers of a misconfigured site and incur
damages as a result of the misconfiguration (e.g., if we visit a ma-
licious site and have data intended only for a trusted site stolen).

Sending the cookies may be less a problem than allowing scripts read
access to them (e.g., by allowing them to read the Set-Cookie header
or the document.cookie property). It's not difficult to imagine people
mixing cookies and `allow "*"` resources, which would likely go wrong.
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Wednesday, 16 January 2008 03:02:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC