Re: Making non-cookie requests to another domain... possible DoS attack by forcing session expiration?

From: Getify <getify@gmail.com> Date: Wed, 10 Nov 2010 16:43:25 -0600 Message-ID: <4B692E8C6B0E45E8A44B12947D04E38F@spartacus> To: "public webapps" <public-webapps@w3.org> · This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:13 UTC

> Ah okay. So that would never work. As things tagged with "anonymous",
> XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore 
> Set-Cookie headers.

First of all, a CORS xhr request could be made with credentials (since 
they're available in the view-source JavaScript)... the question is whether 
or not evil.com making such a request (using CORS) against bank.com with 
credentials would in fact cause the SetCookie response header to be 
interpreted by the browser in such a way that the browser's session cookie 
for bank.com would be killed?

Secondly, are we sure that all implementations of CORS xhr are ignoring 
SetCookie headers in the "without credentials" case?

--Kyle 