[Webkit-unassigned] [Bug 72209] New: Cross-site XMLHttpRequest allows cookies to be set

Sat Nov 12 02:12:15 PST 2011

https://bugs.webkit.org/show_bug.cgi?id=72209

           Summary: Cross-site XMLHttpRequest allows cookies to be set
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: XML
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: bzbarsky at mit.edu
                CC: abarth at webkit.org

At least according to http://stackoverflow.com/questions/8088213/can-firefox-be-made-to-accept-third-party-cookies-from-an-ajax-response-header/

This seems to not be what the relevant drafts propose at the moment, and seems like it could be abused...

I don't see any obvious UI to flag this as a security bug.  :(

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.