- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 26 Sep 2008 13:47:17 +0200
On Thu, 25 Sep 2008 22:17:00 +0200, Collin Jackson <w3c at collinjackson.com> wrote: > 6) New cookie attribute: The "httpOnly" cookie flag allows sites to > put restrictions on how a cookie can be accessed. We could allow a new > flag to be specified in the Set-Cookie header that is designed to > prevent CSRF and "UI redress" attacks. If a cookie is set with a > "sameOrigin" flag, we could prevent that cookie from being sent on > HTTP requests that are initiated by other origins, or were made by > frames with ancestors of other origins. In a CSRF or "UI redress" > attack scenario, it will appear as though the user is not logged in, > and thus the HTTP request will be unable to affect the user's account. > > This flag could potentially use the cookie concept of same origin > rather than the HTML5 concept of same origin: ignore port, ignore > scheme unless "secure" flag is set, "domain" attribute can be used to > relax domain comparison. > > Pros: > > - Only need to change one line of code where the login cookie is set, > entire site is protected > > Cons: > > - "Opt-in" (sites remain vulnerable unless action is taken) > - Would need to test this to make sure it doesn't break legacy > browser cookie handling > > (Adam and I got this idea from someone else, but we don't remember who > it was.) Probably somewhere on the public-webapps or public-webapi list in context of cross-domain XMLHttpRequest. Anyway, this wouldn't work for login based on HTTP authentication or based on IP address or something. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Friday, 26 September 2008 04:47:17 UTC