On Wed, 16 Jan 2008 04:02:33 +0100, Bjoern Hoehrmann <[EMAIL PROTECTED]>
wrote:
* Anne van Kesteren wrote:
Cookies are already sent for <img>, <script>, and <form> requests.
Nothing new. If people mindless opt in we have might have a problem
(though it's
really the people that opt in that do), but I would expect that
dalmationlovers.invalid & co are using some off the shelf software.
It's actually all of us who would have a problem if the server is mis-
configured as we might be customers of a misconfigured site and incur
damages as a result of the misconfiguration (e.g., if we visit a ma-
licious site and have data intended only for a trusted site stolen).
I agree that this is a problem. Though if you share your data through XML
you can still solve this yourself. (And typically servers allow you to
override HTTP headers as well.)
Sending the cookies may be less a problem than allowing scripts read
access to them (e.g., by allowing them to read the Set-Cookie header
or the document.cookie property). It's not difficult to imagine people
mixing cookies and `allow "*"` resources, which would likely go wrong.
This is prevented. (Access to those headers and document.cookie.)
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
