- From: Mike West <notifications@github.com>
- Date: Tue, 05 Apr 2016 00:53:41 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/268/205707929@github.com>
@sicking: I understand the restriction, and I agree that it would enable session fixation only in cases where the site was doing something strange (tying sessions to IP addresses, etc). I didn't explain the "attack surface" bit clearly enough, and I think it's the more important point: sites today assume that they have complete control over cookies. This falls down, of course, with registrable domain excitement, but would be much worse if sites needed to deal with malicious third-parties sending constructed cookie payloads. Of course they ought to be protecting themselves because never trust the client, but I suspect that this would cause some issues. It also might allow brute-forcing of credential information/session ids/etc. in a way that isn't possible today. I skimmed the thread you pointed to, and Tim, et al. raise a number of questions. It's not at all clear to me that this addresses any of them. :) How does enabling a website to send arbitrary cookies to a third-party solve the problem of not knowing whether or not credentials ought to be sent to an endpoint? --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/268#issuecomment-205707929
Received on Tuesday, 5 April 2016 07:54:08 UTC