W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2010

Re: Making non-cookie requests to another domain... possible DoS attack by forcing session expiration?

From: Getify <getify@gmail.com>
Date: Wed, 10 Nov 2010 16:43:25 -0600
Message-ID: <4B692E8C6B0E45E8A44B12947D04E38F@spartacus>
To: "public webapps" <public-webapps@w3.org>
> Ah okay. So that would never work. As things tagged with "anonymous",
> XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore 
> Set-Cookie headers.

First of all, a CORS xhr request could be made with credentials (since 
they're available in the view-source JavaScript)... the question is whether 
or not evil.com making such a request (using CORS) against bank.com with 
credentials would in fact cause the SetCookie response header to be 
interpreted by the browser in such a way that the browser's session cookie 
for bank.com would be killed?

Secondly, are we sure that all implementations of CORS xhr are ignoring 
SetCookie headers in the "without credentials" case?

Received on Wednesday, 10 November 2010 22:44:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:13 UTC