Re: Making non-cookie requests to another domain... possible DoS attack by forcing session expiration? from Jonas Sicking on 2010-11-10 (public-webapps@w3.org from October to December 2010)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 10 Nov 2010 14:50:49 -0800
To: Getify <getify@gmail.com>
Cc: public webapps <public-webapps@w3.org>
Message-ID: <AANLkTinAmZ4zq5svc4fKy1dVHVAm4Q5zR23y0L2BdfY9@mail.gmail.com>

On Wed, Nov 10, 2010 at 2:43 PM, Getify <getify@gmail.com> wrote:
>> Ah okay. So that would never work. As things tagged with "anonymous",
>> XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore
>> Set-Cookie headers.
>
> First of all, a CORS xhr request could be made with credentials (since
> they're available in the view-source JavaScript)... the question is whether
> or not evil.com making such a request (using CORS) against bank.com with
> credentials would in fact cause the SetCookie response header to be
> interpreted by the browser in such a way that the browser's session cookie
> for bank.com would be killed?

Yes, same way you can using <img src="http://bank.com/...">

> Secondly, are we sure that all implementations of CORS xhr are ignoring
> SetCookie headers in the "without credentials" case?

Please do try it. There isn't much the spec can do other then spec
that they should.

/ Jonas

Received on Wednesday, 10 November 2010 22:51:48 UTC