Re: Making non-cookie requests to another domain... possible DoS attack by forcing session expiration? from Getify on 2010-11-10 (public-webapps@w3.org from October to December 2010)

From: Getify <getify@gmail.com>
Date: Wed, 10 Nov 2010 16:43:25 -0600
To: "public webapps" <public-webapps@w3.org>
Message-ID: <4B692E8C6B0E45E8A44B12947D04E38F@spartacus>

> Ah okay. So that would never work. As things tagged with "anonymous",
> XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore 
> Set-Cookie headers.

First of all, a CORS xhr request could be made with credentials (since 
they're available in the view-source JavaScript)... the question is whether 
or not evil.com making such a request (using CORS) against bank.com with 
credentials would in fact cause the SetCookie response header to be 
interpreted by the browser in such a way that the browser's session cookie 
for bank.com would be killed?

Secondly, are we sure that all implementations of CORS xhr are ignoring 
SetCookie headers in the "without credentials" case?

--Kyle

Received on Wednesday, 10 November 2010 22:44:36 UTC