W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2008

[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

From: Adam Barth <whatwg@adambarth.com>
Date: Sun, 12 Oct 2008 01:40:30 -0700
Message-ID: <7789133a0810120140l1d2c38f1jd4fc2553900a1791@mail.gmail.com>
On Sat, Oct 11, 2008 at 11:29 PM, Jonas Sicking <jonas at sicking.cc> wrote:
> Collin Jackson wrote:
[snip]
>> If a cookie is set with a
>> "sameOrigin" flag, we could prevent that cookie from being sent on
>> HTTP requests that are initiated by other origins, or were made by
>> frames with ancestors of other origins.
[snip]
> Wouldn't such cookies still be sent if you trick the user into first
> clicking a link inside the frame, thus making it a same-site navigation, and
> then getting the user to click on the 'transfer money' link or whatever you
> are trying to trick the user to do?

I think the idea is that when the click occurs inside the frame, one
of the frame's ancestors is from another security origin and so the
cookie would not be sent.

Adam
Received on Sunday, 12 October 2008 01:40:30 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:06 UTC