[Webkit-unassigned] [Bug 6797] Interaction between javascript cross-frame access and cookie paths may allow cookies to be "stolen"

bugzilla-daemon at opendarwin.org bugzilla-daemon at opendarwin.org
Wed Jan 25 14:35:53 PST 2006


http://bugzilla.opendarwin.org/show_bug.cgi?id=6797


opendarwin.org at bdash.net.nz changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |opendarwin.org at bdash.net.nz
            Summary|Cookies being stolen        |Interaction between
                   |                            |javascript cross-frame
                   |                            |access and cookie paths may
                   |                            |allow cookies to be "stolen"




------- Comment #1 from opendarwin.org at bdash.net.nz  2006-01-25 14:35 -------
What appears to be happening here is that cookies are set under the paths
/javascript/1/ and /javascript/2/.  In Frame Test #1, frameset is then loaded
(from /javascript/3/frames.html) containing two frames.  The frameset document
has no direct access to the cookies due to the path restriction.  It gains
access to the cookie by accessing the child frames document.cookies.  Frame
Test #2 is similar, only a frame access a sibling frames document.cookies.

The window.open test case works with popup blocking disabled.  It functions in
a similar way -- it opens a  popup with window.open, and then retrieves the
cookies via the popup windows document.cookies.


-- 
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the webkit-unassigned mailing list