On Wednesday, February 6, 2013 at 5:06 PM, [email protected] wrote: > > Javascript hosted on packages.python.org (http://packages.python.org) has > > access to cookies on > > python.org (http://python.org), If python.org (http://python.org) has > > any sort of login it's trivial to steal a session cookie. > > > > > No, it doesn't. Cookies for "python.org (http://python.org)" are not > available to > "packages.python.org (http://packages.python.org)". > It would have to be a cookie for ".python.org (http://python.org)". We don't > issue such cookies. > http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
Specifically: Note: according to one of the specs, domain wildcards should be marked with a preceeding period, so .example.com would denote a wildcard match for the entire domain - including, somewhat confusingly, example.com proper - whereas foo.example.com would denote an exact host match. Sadly, no browser follows this logic, and domain=example.com is exactly equivalent to domain=.example.com. There is no way to limit cookies to a single DNS name only, other than by not specifying domain= value at all - and even this does not work in Microsoft Internet Explorer; likewise, there is no way to limit them to a specific port.
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
