On Wednesday, February 6, 2013 at 5:53 PM, M.-A. Lemburg wrote:
> On 06.02.2013 23:28, Donald Stufft wrote:
> > On Wednesday, February 6, 2013 at 5:06 PM, [email protected]
> > (mailto:[email protected]) wrote:
> > > > Javascript hosted on packages.python.org (http://packages.python.org)
> > > > has access to cookies on
> > > > python.org (http://python.org), If python.org (http://python.org) has
> > > > any sort of login it's trivial to steal a session cookie.
> > > >
> > >
> > >
> > >
> > > No, it doesn't. Cookies for "python.org (http://python.org)" are not
> > > available to
> > > "packages.python.org (http://packages.python.org)".
> > > It would have to be a cookie for ".python.org (http://python.org)". We
> > > don't issue such cookies.
> > >
> >
> > http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
> >
> > Specifically:
> >
> > Note: according to one of the specs, domain wildcards should be marked with
> > a preceeding period, so .example.com (http://example.com) would denote a
> > wildcard match for the entire domain - including, somewhat confusingly,
> > example.com (http://example.com) proper - whereas foo.example.com
> > (http://foo.example.com) would denote an exact host match. Sadly, no
> > browser follows this logic, and domain=example.com (http://example.com) is
> > exactly equivalent to domain=.example.com (http://example.com). There is no
> > way to limit cookies to a single DNS name only, other than by not
> > specifying domain= value at all - and even this does not work in Microsoft
> > Internet Explorer; likewise, there is no way to limit them to a specific
> > port.
>
> A forced redirect from python.org to www.python.org (http://www.python.org)
> should fix this,
> provided that no service on *.python.org (http://python.org) uses a
> .python.org (http://python.org)
> (or python.org (http://python.org)) cookie.
>
>
http://en.wikipedia.org/wiki/Session_fixation
packages.python.org can set a .python.org cookie which www.python.org will read.
_______________________________________________
Catalog-SIG mailing list
[email protected]
http://mail.python.org/mailman/listinfo/catalog-sig
