W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2006

[whatwg] cross-frame cookies

From: Alexey Feldgendler <alexey@feldgendler.ru>
Date: Wed, 08 Feb 2006 22:55:46 +0600
Message-ID: <op.s4nym8gp1h6og4@pancake.feldgendler.ru>
On Wed, 08 Feb 2006 17:29:46 +0600, Hallvord R M Steen  
<hallvors at gmail.com> wrote:

> there is some discussion surrounding cookies and security - see this bug:
> http://bugzilla.opendarwin.org/show_bug.cgi?id=6797
>
> We are wondering if it would be any use to block document.cookie
> access across frames completely, or whether this would break too many
> sites out there.. Any thoughts on this?

Just blocking access to cookies of another frame isn't enough. Consider  
the following example:

otherframe.document.body.addEventListener('unload', function() {
     thisframe.variable = otherframe.document.cookie;
}, false);

When the unload event fires, otherframe will be accessing its own cookies,  
which is legal.


-- 
Opera M2 8.5 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station [ICQ: 115226275] <alexey at feldgendler.ru>
Received on Wednesday, 8 February 2006 08:55:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:26 UTC