- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 24 Jan 2008 17:00:50 +0100
- To: tep4i6o02@sneakemail.com, public-html-comments@w3.org
On Thu, 24 Jan 2008 13:40:20 +0100, <tep4i6o02@sneakemail.com> wrote: >> From the draft spec ( http://www.w3.org/TR/html5/ ): > > 'Since the cookie attribute is accessible across frames, the path > restrictions on cookies are only a tool to help manage which cookies are > sent to which parts of the site, and are not in any way a security > feature. ' > > Since frame access is subject to same-origin rules, the only domain one > could get cookies from this way, would be... the same domain as oneself! > What is the use of this? NB: This is my personal view. (All other e-mails I sent to this list (and have sent) are also my personal view unless noted otherwise.) What the draft is pointing out here is that if multiple authors, say author A and B, share a domain A can't protect his cookies from B. If A has http://example.org/author/A/ and B has http://example.org/author/B/ author A could simply inject an <iframe> in his web space that loads the site of author B and then "steals" cookie data because same-origin frame communication is allowed. > As specified, it is nothing more than a security risk as it negates > cookie path restrictions. Why not just specify: Accessing cookies from > any other HTMLDocument than the current one causes an exception. Because you can't really tell which document is accessing it if you use some other variable in the iframe first to store the cookie value in and then read that variable, etc. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Thursday, 24 January 2008 15:57:17 UTC