WebApp Sec mailing list archives

Re: Cross Site Cooking

From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Wed, 1 Feb 2006 11:30:09 +0100 (CET)

On Tue, 31 Jan 2006, Aman Raheja wrote:

Both IE and Firefox have the capability to disallow the websites to set
cookies for third party domains.


This is a wholly different function; it prevents portions of content that
are hosted elsewhere than the site / domain you're currently viewing (say,
provided by ad companies) from dropping you a cookie.

In other words, when you go to flybynight.com, and they have a banner that
needs to be fetched from pillsandpr0n.biz, Set-Cookie headers returned by
pillsandpr0n.biz will be ignored, thus making it harder for them to track
you as you browse the web.

This does not stop bork.xyzzy.example.com from setting a cookie for
frob.knob.example.com when you view that first website.

Cheers,
/mz

-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------

Current thread:

Cross Site Cooking Michal Zalewski (Jan 28)
- <Possible follow-ups>
- RE: Cross Site Cooking Amit Klein (AKsecurity) (Jan 29)
  - RE: Cross Site Cooking Michal Zalewski (Jan 30)
  - Re: Cross Site Cooking Aman Raheja (Jan 31)
    - Re: Cross Site Cooking Michal Zalewski (Feb 02)
- Re: Cross Site Cooking john-secfocus (Jan 31)
  - Re: Cross Site Cooking Erwan Legrand (Jan 31)
  - Re: Cross Site Cooking Michal Zalewski (Jan 31)
- RE: Cross Site Cooking Evans, Arian (Jan 31)