Re: ISSUE 19: Requirements and Usage Scenarios document

On Wed, 16 Jan 2008 04:02:33 +0100, Bjoern Hoehrmann <>  
> * Anne van Kesteren wrote:
>> Cookies are already sent for <img>, <script>, and <form> requests.  
>> Nothing new. If people mindless opt in we have might have a problem  
>> (though it's
>> really the people that opt in that do), but I would expect that
>> dalmationlovers.invalid & co are using some off the shelf software.
> It's actually all of us who would have a problem if the server is mis-
> configured as we might be customers of a misconfigured site and incur
> damages as a result of the misconfiguration (e.g., if we visit a ma-
> licious site and have data intended only for a trusted site stolen).

I agree that this is a problem. Though if you share your data through XML  
you can still solve this yourself. (And typically servers allow you to  
override HTTP headers as well.)

> Sending the cookies may be less a problem than allowing scripts read
> access to them (e.g., by allowing them to read the Set-Cookie header
> or the document.cookie property). It's not difficult to imagine people
> mixing cookies and `allow "*"` resources, which would likely go wrong.

This is prevented. (Access to those headers and document.cookie.)

Anne van Kesteren

Received on Wednesday, 16 January 2008 10:08:18 UTC