[whatwg] cross-frame cookies

Alexey Feldgendler alexey at feldgendler.ru
Wed Feb 8 08:55:46 PST 2006


On Wed, 08 Feb 2006 17:29:46 +0600, Hallvord R M Steen  
<hallvors at gmail.com> wrote:

> there is some discussion surrounding cookies and security - see this bug:
> http://bugzilla.opendarwin.org/show_bug.cgi?id=6797
>
> We are wondering if it would be any use to block document.cookie
> access across frames completely, or whether this would break too many
> sites out there.. Any thoughts on this?

Just blocking access to cookies of another frame isn't enough. Consider  
the following example:

otherframe.document.body.addEventListener('unload', function() {
     thisframe.variable = otherframe.document.cookie;
}, false);

When the unload event fires, otherframe will be accessing its own cookies,  
which is legal.


-- 
Opera M2 8.5 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station [ICQ: 115226275] <alexey at feldgendler.ru>



More information about the whatwg mailing list