[whatwg] cross-frame cookies
Alexey Feldgendler
alexey at feldgendler.ru
Wed Feb 8 08:55:46 PST 2006
On Wed, 08 Feb 2006 17:29:46 +0600, Hallvord R M Steen
<hallvors at gmail.com> wrote:
> there is some discussion surrounding cookies and security - see this bug:
> http://bugzilla.opendarwin.org/show_bug.cgi?id=6797
>
> We are wondering if it would be any use to block document.cookie
> access across frames completely, or whether this would break too many
> sites out there.. Any thoughts on this?
Just blocking access to cookies of another frame isn't enough. Consider
the following example:
otherframe.document.body.addEventListener('unload', function() {
thisframe.variable = otherframe.document.cookie;
}, false);
When the unload event fires, otherframe will be accessing its own cookies,
which is legal.
--
Opera M2 8.5 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station [ICQ: 115226275] <alexey at feldgendler.ru>
More information about the whatwg
mailing list