W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: ISSUE 19: Requirements and Usage Scenarios document

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 16 Jan 2008 11:11:21 +0100
To: "Bjoern Hoehrmann" <derhoermi@gmx.net>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.t40o87wj64w2qv@annevk-t60.oslo.opera.com>

On Wed, 16 Jan 2008 04:02:33 +0100, Bjoern Hoehrmann <derhoermi@gmx.net>  
> * Anne van Kesteren wrote:
>> Cookies are already sent for <img>, <script>, and <form> requests.  
>> Nothing new. If people mindless opt in we have might have a problem  
>> (though it's
>> really the people that opt in that do), but I would expect that
>> dalmationlovers.invalid & co are using some off the shelf software.
> It's actually all of us who would have a problem if the server is mis-
> configured as we might be customers of a misconfigured site and incur
> damages as a result of the misconfiguration (e.g., if we visit a ma-
> licious site and have data intended only for a trusted site stolen).

I agree that this is a problem. Though if you share your data through XML  
you can still solve this yourself. (And typically servers allow you to  
override HTTP headers as well.)

> Sending the cookies may be less a problem than allowing scripts read
> access to them (e.g., by allowing them to read the Set-Cookie header
> or the document.cookie property). It's not difficult to imagine people
> mixing cookies and `allow "*"` resources, which would likely go wrong.

This is prevented. (Access to those headers and document.cookie.)

Anne van Kesteren
Received on Wednesday, 16 January 2008 10:08:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC