[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Adam Barth whatwg at adambarth.com
Sun Oct 12 01:40:30 PDT 2008

On Sat, Oct 11, 2008 at 11:29 PM, Jonas Sicking <jonas at sicking.cc> wrote:
> Collin Jackson wrote:
>> If a cookie is set with a
>> "sameOrigin" flag, we could prevent that cookie from being sent on
>> HTTP requests that are initiated by other origins, or were made by
>> frames with ancestors of other origins.
> Wouldn't such cookies still be sent if you trick the user into first
> clicking a link inside the frame, thus making it a same-site navigation, and
> then getting the user to click on the 'transfer money' link or whatever you
> are trying to trick the user to do?

I think the idea is that when the click occurs inside the frame, one
of the frame's ancestors is from another security origin and so the
cookie would not be sent.


More information about the whatwg mailing list