WebApp Sec mailing list archives
Re: Cross Site Cooking
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Wed, 1 Feb 2006 11:30:09 +0100 (CET)
On Tue, 31 Jan 2006, Aman Raheja wrote:
Both IE and Firefox have the capability to disallow the websites to set cookies for third party domains.
This is a wholly different function; it prevents portions of content that are hosted elsewhere than the site / domain you're currently viewing (say, provided by ad companies) from dropping you a cookie. In other words, when you go to flybynight.com, and they have a banner that needs to be fetched from pillsandpr0n.biz, Set-Cookie headers returned by pillsandpr0n.biz will be ignored, thus making it harder for them to track you as you browse the web. This does not stop bork.xyzzy.example.com from setting a cookie for frob.knob.example.com when you view that first website. Cheers, /mz ------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Current thread:
- Cross Site Cooking Michal Zalewski (Jan 28)
- <Possible follow-ups>
- RE: Cross Site Cooking Amit Klein (AKsecurity) (Jan 29)
- RE: Cross Site Cooking Michal Zalewski (Jan 30)
- Re: Cross Site Cooking Aman Raheja (Jan 31)
- Re: Cross Site Cooking Michal Zalewski (Feb 02)
- Re: Cross Site Cooking john-secfocus (Jan 31)
- Re: Cross Site Cooking Erwan Legrand (Jan 31)
- Re: Cross Site Cooking Michal Zalewski (Jan 31)
- RE: Cross Site Cooking Evans, Arian (Jan 31)