[whatwg] cross-frame cookies
Ian Hickson
ian at hixie.ch
Thu May 24 15:10:14 PDT 2007
On Wed, 8 Feb 2006, Hallvord R M Steen wrote:
>
> there is some discussion surrounding cookies and security - see this
> bug: http://bugzilla.opendarwin.org/show_bug.cgi?id=6797
>
> We are wondering if it would be any use to block document.cookie access
> across frames completely, or whether this would break too many sites out
> there.. Any thoughts on this?
Doesn't matter if you block access even across frames. Someone could just
inject a <script> tag into the other frame and have that script do the
work. The path restrictions on cookies are only useful as a way to manage
which part of the site gets cookies, not as a security measure.
I've added a note to that effect.
Cheers,
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list