- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 24 May 2007 22:10:14 +0000 (UTC)
On Wed, 8 Feb 2006, Hallvord R M Steen wrote: > > there is some discussion surrounding cookies and security - see this > bug: http://bugzilla.opendarwin.org/show_bug.cgi?id=6797 > > We are wondering if it would be any use to block document.cookie access > across frames completely, or whether this would break too many sites out > there.. Any thoughts on this? Doesn't matter if you block access even across frames. Someone could just inject a <script> tag into the other frame and have that script do the work. The path restrictions on cookies are only useful as a way to manage which part of the site gets cookies, not as a security measure. I've added a note to that effect. Cheers, -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 24 May 2007 15:10:14 UTC