[tahoe-dev] same origin
James A. Donald
jamesd at echeque.com
Fri Jul 30 08:21:33 UTC 2010
On 2010-07-30 1:17 PM, Chris Palmer wrote:
> James A. Donald writes:
>
>> Presumably cookie scope would also be same origin
> Presumably, but very often not in fact. In the Set-Cookie: header you can
> specify a broader scope for cookies, and people often do.
But it would not help the attacker to set a broader scope. The attacked
would have to set a broader scope - assuming he is following the
standard measures to avoid cookie fixation.
It is standard to set your cookie scope for the entire website, if you
control the entire website. If your web page is appearing on tahoe, you
do not.
So a local service that mapped all *.tahoe domains to the same IP would
enable same origing protection between tahoe documents.
More information about the tahoe-dev
mailing list