Re: document.cookie

Hey Cristian,

I don't think it's too late to be considering adding recommendations,  
or modifying existing ones - the reason for the working draft review  
process is so that we have ample opportunity to find things we have  
overlooked.

document.cookie is a very broadly used API, and the vast majority of  
those uses are non-malicious.  That's an assertion I'm making without  
a reference to back it up, so it's open to contest, but I strongly  
suspect it is accurate.  As a general principle, "happens often" and  
"usually innocuous" is the wrong set of circumstances for a user  
alert to be effective, since it encourages dialog fatigue and  
mindless click-through.  Have you considered this aspect of it, do  
you have a mitigation in mind?

The flip side is that this is a pretty straightforward thing to solve  
at the protocol level.  AFAIK, the current-or-upcoming versions of  
(at least) IE, Firefox, and Opera include support for HttpOnly  
cookies.  This allows site authors to specify that certain cookies,  
e.g. session tracking cookies or those with otherwise sensitive  
information, be available only as part of the http request, and not  
accessible to script.  This is opt-in, but it has the advantage that  
the user is protected without a need to involve them in the decision  
process.  It also preserves the innocent cases of script-based cookie  
manipulation where no sensitive information is involved.  Are you  
suggesting that this is inadequate?

Cheers,

Johnathan

On 12-Nov-07, at 4:19 AM, Cristian Serban ((Romania)) wrote:

> Hi dudes,
> I have my first proposal(recommendation), it might be too late or  
> it might not be adequate for the group or it might not be valid but  
> I say it anyway, and see your response.
> My proposal is regarding the javascript accessing the browser API  
> function document.cookie.
> I would say that the document.cookie should be treated by the  
> browser as sensitive information and should not be given away to  
> anybody asking for it.
> In the majority of current web applications the cookie is used to  
> session and authentication ticket persistent, although it can be  
> used to other features, like user tracking, preference maintenance.
> In none of this cases the document.cookie is not really needed to  
> be accessed by javascript.
> By denying access to document.cookie a vast majority of session  
> hijacking through XSS attacks could be prevented.
> So I would propose one of the following:
> -          when javascript accesses document.cookie browser API  
> function the user should be alerted that a call to document.cookie 
> (which is a sensitive session information) is being made by  
> javascript, and this might be a means to session hijacking and  
> should continue only if is sure that the page is clean, or else  
> they should logout immediately and come back to this page only  
> after they verified it. Or something close to this message, better  
> formatted.
> -          The document.cookie should be removed from the browser  
> API. I don’t see enough reasons why this is needed, maybe Yngve or  
> other guys working on browsers can tell us why is this really needed.
> Thanks,
>
> Cristian Serban
> ---------------------------------------------------------------------- 
> -----------------------
> Software Engineer, Betfair
>
> Office: +40 364 413759
> Betfair extension:  3759
> Fax: +40 364 409443
> Yahoo! Messenger: scrissti
> Please consider the environment before printing
> Betfair Limited | 2-12 Somesului | Cluj Napoca |
> The information in this e-mail and any attachment is confidential  
> and is intended only for the named recipient(s). The e-mail may not  
> be disclosed or used by any person other than the addressee, nor  
> may it be copied in any way. If you are not a named recipient  
> please notify the sender immediately and delete any copies of this  
> message. Any unauthorized copying, disclosure or distribution of  
> the material in this e-mail is strictly forbidden. Any view or  
> opinions presented are solely those of the author and do not  
> necessarily represent those of the company.
> Betfair ® and the BETFAIR LOGO are registered trade marks of The  
> Sporting Exchange Limited.
>
>
> ______________________________________________________________________ 
> __
> In order to protect our email recipients, Betfair Group use SkyScan  
> from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> ______________________________________________________________________ 
> __

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Monday, 12 November 2007 15:28:59 UTC