[whatwg] cross-frame cookies

On Wed, 8 Feb 2006, Hallvord R M Steen wrote:
>
> there is some discussion surrounding cookies and security - see this 
> bug: http://bugzilla.opendarwin.org/show_bug.cgi?id=6797
> 
> We are wondering if it would be any use to block document.cookie access 
> across frames completely, or whether this would break too many sites out 
> there.. Any thoughts on this?

Doesn't matter if you block access even across frames. Someone could just 
inject a <script> tag into the other frame and have that script do the 
work. The path restrictions on cookies are only useful as a way to manage 
which part of the site gets cookies, not as a security measure.

I've added a note to that effect.

Cheers,
-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 24 May 2007 15:10:14 UTC