Brad Porter wrote:
We should remember that non-malicious cross-site-requests with cookies go on all the time. A simple peek at your cookie store (or turning on accept/reject of cookies) will show that many sites make cross-site-requests with cookies all the time. Banner ads on the web work entirely based on cross-site GET requests with cookies. There is no same-origin policy for cross-site IMG, FRAME, etc requests with cookies.
As I outlined in my "to cookie or not to cookie" email, the concern isn't that new attack vectors are introduced. The concern is that servers will enable access control without realizing what it means.
/ Jonas
