On 2001.12.27, Rob Mayoff <[EMAIL PROTECTED]> wrote: > +---------- On Dec 27, Dossy said: > > Netscape has the option of "allow all cookies" or "allow cookies > > that get sent back to the originating server." So, if you just > > set "allow all cookies" then send your browser a set-cookie where > > domain= the domain you want to attack, setting cookies becomes > > pretty trivial. > > That's not what accept-all-cookies means. If an HTML page from server > X contains an IMG tag with an SRC pointing at server Y, and server Y's > response includes Set-Cookie, then Netscape will honor Y's Set-Cookie if > accept-all-cookies is set and will not honor it if accept-only-cookies- > that-get-sent-back-to-originating-server is set.
Interesting. Still, setting a cookie in a browser so that it gets sent to an arbitrary site is an easy exercise, as Wojciech pointed out. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70)
