W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2007

[whatwg] cross-frame cookies

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 24 May 2007 22:10:14 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0705242207340.23432@dhalsim.dreamhost.com>
On Wed, 8 Feb 2006, Hallvord R M Steen wrote:
>
> there is some discussion surrounding cookies and security - see this 
> bug: http://bugzilla.opendarwin.org/show_bug.cgi?id=6797
> 
> We are wondering if it would be any use to block document.cookie access 
> across frames completely, or whether this would break too many sites out 
> there.. Any thoughts on this?

Doesn't matter if you block access even across frames. Someone could just 
inject a <script> tag into the other frame and have that script do the 
work. The path restrictions on cookies are only useful as a way to manage 
which part of the site gets cookies, not as a security measure.

I've added a note to that effect.

Cheers,
-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 24 May 2007 15:10:14 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:55 UTC