[Webkit-unassigned] [Bug 6797] Interaction between javascript cross-frame access and cookie paths may allow cookies to be "stolen"
bugzilla-daemon at opendarwin.org
bugzilla-daemon at opendarwin.org
Tue Jun 6 07:10:28 PDT 2006
http://bugzilla.opendarwin.org/show_bug.cgi?id=6797
w at sfgate.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |w at sfgate.com
------- Comment #5 from w at sfgate.com 2006-06-06 07:10 PDT -------
Please, please do NOT "fix" this "bug".
Please ignore RFC2965 in part of cookie Path filtering.
LJ's discussion states very clear:
"path on cookies doesn't help security"
and I agree with it.
Please don't create yet another "improvement",
which would be the real pain with AJAX.
Even if you fix this (close direct opportunity for JS),
other embedded objects, such as <img>, <link>, <object> etc.,
can have cookie in http header, -- and web programmers will
find way around, increasing mess, lowering secirity.
I have seen that Safari does not attach cookie for CSS <link>,
wherever other browsers do.
Could you please re-focus on fixing such real bugs,
instead create more incompatibility problems for server-side programmers?
Thank you in advance.
--Vladimir
Url with test and details:
http://www.sfgate.com/cgi-bin/safari/first/start
--
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list