- From: Jonas Sicking <jonas@sicking.cc>
- Date: Sat, 11 Oct 2008 23:29:25 -0700
Collin Jackson wrote: > 6) New cookie attribute: The "httpOnly" cookie flag allows sites to > put restrictions on how a cookie can be accessed. We could allow a new > flag to be specified in the Set-Cookie header that is designed to > prevent CSRF and "UI redress" attacks. If a cookie is set with a > "sameOrigin" flag, we could prevent that cookie from being sent on > HTTP requests that are initiated by other origins, or were made by > frames with ancestors of other origins. In a CSRF or "UI redress" > attack scenario, it will appear as though the user is not logged in, > and thus the HTTP request will be unable to affect the user's account. > > This flag could potentially use the cookie concept of same origin > rather than the HTML5 concept of same origin: ignore port, ignore > scheme unless "secure" flag is set, "domain" attribute can be used to > relax domain comparison. Wouldn't such cookies still be sent if you trick the user into first clicking a link inside the frame, thus making it a same-site navigation, and then getting the user to click on the 'transfer money' link or whatever you are trying to trick the user to do? / Jonas
Received on Saturday, 11 October 2008 23:29:25 UTC