[whatwg] cross-frame cookies

Ian Hickson ian at hixie.ch
Thu May 24 15:10:14 PDT 2007

On Wed, 8 Feb 2006, Hallvord R M Steen wrote:
> there is some discussion surrounding cookies and security - see this 
> bug: http://bugzilla.opendarwin.org/show_bug.cgi?id=6797
> We are wondering if it would be any use to block document.cookie access 
> across frames completely, or whether this would break too many sites out 
> there.. Any thoughts on this?

Doesn't matter if you block access even across frames. Someone could just 
inject a <script> tag into the other frame and have that script do the 
work. The path restrictions on cookies are only useful as a way to manage 
which part of the site gets cookies, not as a security measure.

I've added a note to that effect.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list