RE: document.cookie

I think my problem is solved very beautifully with HttpOnly cookies, I
didn't know about them.

Thanks,

 

Cristian Serban

------------------------------------------------------------------------
---------------------

Software Engineer, Betfair

 

Office: +40 364 413759
Betfair extension:  3759
Fax: +40 364 409443
Yahoo! Messenger: scrissti 
Please consider the environment before printing
Betfair Limited | 2-12 Somesului | Cluj Napoca |
The information in this e-mail and any attachment is confidential and is
intended only for the named recipient(s). The e-mail may not be
disclosed or used by any person other than the addressee, nor may it be
copied in any way. If you are not a named recipient please notify the
sender immediately and delete any copies of this message. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden. Any view or opinions presented are solely
those of the author and do not necessarily represent those of the
company. 

Betfair (r) and the BETFAIR LOGO are registered trade marks of The
Sporting Exchange Limited.

 

From: Johnathan Nightingale [mailto:johnath@mozilla.com] 
Sent: 12 November 2007 17:29
To: Cristian Serban (Romania)
Cc: public-wsc-wg@w3.org
Subject: Re: document.cookie

 

Hey Cristian,

 

I don't think it's too late to be considering adding recommendations, or
modifying existing ones - the reason for the working draft review
process is so that we have ample opportunity to find things we have
overlooked.

 

document.cookie is a very broadly used API, and the vast majority of
those uses are non-malicious.  That's an assertion I'm making without a
reference to back it up, so it's open to contest, but I strongly suspect
it is accurate.  As a general principle, "happens often" and "usually
innocuous" is the wrong set of circumstances for a user alert to be
effective, since it encourages dialog fatigue and mindless
click-through.  Have you considered this aspect of it, do you have a
mitigation in mind?

 

The flip side is that this is a pretty straightforward thing to solve at
the protocol level.  AFAIK, the current-or-upcoming versions of (at
least) IE, Firefox, and Opera include support for HttpOnly cookies.
This allows site authors to specify that certain cookies, e.g. session
tracking cookies or those with otherwise sensitive information, be
available only as part of the http request, and not accessible to
script.  This is opt-in, but it has the advantage that the user is
protected without a need to involve them in the decision process.  It
also preserves the innocent cases of script-based cookie manipulation
where no sensitive information is involved.  Are you suggesting that
this is inadequate?

 

Cheers,

 

Johnathan

 

On 12-Nov-07, at 4:19 AM, Cristian Serban ((Romania)) wrote:





Hi dudes,

I have my first proposal(recommendation), it might be too late or it
might not be adequate for the group or it might not be valid but I say
it anyway, and see your response.

My proposal is regarding the javascript accessing the browser API
function document.cookie.

I would say that the document.cookie should be treated by the browser as
sensitive information and should not be given away to anybody asking for
it.

In the majority of current web applications the cookie is used to
session and authentication ticket persistent, although it can be used to
other features, like user tracking, preference maintenance.

In none of this cases the document.cookie is not really needed to be
accessed by javascript.

By denying access to document.cookie a vast majority of session
hijacking through XSS attacks could be prevented.

So I would propose one of the following:

-          when javascript accesses document.cookie browser API function
the user should be alerted that a call to document.cookie(which is a
sensitive session information) is being made by javascript, and this
might be a means to session hijacking and should continue only if is
sure that the page is clean, or else they should logout immediately and
come back to this page only after they verified it. Or something close
to this message, better formatted.

-          The document.cookie should be removed from the browser API. I
don't see enough reasons why this is needed, maybe Yngve or other guys
working on browsers can tell us why is this really needed.

Thanks,

 

Cristian Serban

------------------------------------------------------------------------
---------------------

Software Engineer, Betfair

 

Office: +40 364 413759
Betfair extension:  3759
Fax: +40 364 409443
Yahoo! Messenger: scrissti 
Please consider the environment before printing
Betfair Limited | 2-12 Somesului | Cluj Napoca |
The information in this e-mail and any attachment is confidential and is
intended only for the named recipient(s). The e-mail may not be
disclosed or used by any person other than the addressee, nor may it be
copied in any way. If you are not a named recipient please notify the
sender immediately and delete any copies of this message. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden. Any view or opinions presented are solely
those of the author and do not necessarily represent those of the
company.

Betfair (r) and the BETFAIR LOGO are registered trade marks of The
Sporting Exchange Limited.

 


________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from

MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________



 

---

Johnathan Nightingale

Human Shield

johnath@mozilla.com

 





 


________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________