Re: UNS: Re: frame.cookie: useless, security risk

On Thu, 24 Jan 2008, Anne van Kesteren annevk-at-opera.com |w3c| wrote:

> On Thu, 24 Jan 2008 13:40:20 +0100, <tep4i6o02@sneakemail.com> wrote:
>>> From the draft spec ( http://www.w3.org/TR/html5/ ):
>> 
>> 'Since the cookie attribute is accessible across frames, the path 
>> restrictions on cookies are only a tool to help manage which cookies are 
>> sent to which parts of the site, and are not in any way a security feature. 
>> '
>> 
>> Since frame access is subject to same-origin rules, the only domain one 
>> could get cookies from this way, would be... the same domain as oneself! 
>> What is the use of this?
>
> NB: This is my personal view. (All other e-mails I sent to this list (and 
> have sent) are also my personal view unless noted otherwise.)
>
> What the draft is pointing out here is that if multiple authors, say author A 
> and B, share a domain A can't protect his cookies from B. If A has 
> http://example.org/author/A/ and B has http://example.org/author/B/ author A 
> could simply inject an <iframe> in his web space that loads the site of 
> author B and then "steals" cookie data because same-origin frame 
> communication is allowed.
>
That is correct.

>
>> As specified, it is nothing more than a security risk as it negates cookie 
>> path restrictions. Why not just specify: Accessing cookies from any other 
>> HTMLDocument than the current one causes an exception.
>
> Because you can't really tell which document is accessing it if you use some 
> other variable in the iframe first to store the cookie value in and then read 
> that variable, etc.
>

How can it be impossible to distinguish between the paths of windows and 
running script, when it is commonplace to distinguish between the domains 
of the windows? Or does the security model allow one to inject scripts 
into another window (in the same domain), so they run from there?

Otherwise your scenario would require authors A and B to collaborate. 
Obviously, if A wants to share his cookies with B, he can, using a variety 
of tricks (for instance, load an image with the cookie data as a query 
parameter).

Martijn

Received on Thursday, 24 January 2008 16:28:44 UTC