[Webkit-unassigned] [Bug 6797] Interaction between javascript cross-frame access and cookie paths may allow cookies to be "stolen"

bugzilla-daemon at opendarwin.org bugzilla-daemon at opendarwin.org
Tue Jun 6 07:10:28 PDT 2006


http://bugzilla.opendarwin.org/show_bug.cgi?id=6797


w at sfgate.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |w at sfgate.com




------- Comment #5 from w at sfgate.com  2006-06-06 07:10 PDT -------
Please, please do NOT "fix" this "bug".
Please ignore RFC2965 in part of cookie Path filtering.

LJ's discussion states very clear:
"path on cookies doesn't help security"
and I agree with it.

Please don't create yet another "improvement",
which would be the real pain with AJAX.

Even if you fix this (close direct opportunity for JS),
other embedded objects, such as <img>, <link>, <object> etc.,
can have cookie in http header, -- and web programmers will
find way around, increasing mess, lowering secirity.

I have seen that Safari does not attach cookie for CSS <link>,
wherever other browsers do.
Could you please re-focus on fixing such real bugs,
instead create more incompatibility problems for server-side programmers?

Thank you in advance.
--Vladimir

Url with test and details:
  http://www.sfgate.com/cgi-bin/safari/first/start





-- 
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the webkit-unassigned mailing list