On 06.02.2013 23:28, Donald Stufft wrote: > On Wednesday, February 6, 2013 at 5:06 PM, mar...@v.loewis.de wrote: >>> Javascript hosted on packages.python.org (http://packages.python.org) has >>> access to cookies on >>> python.org (http://python.org), If python.org (http://python.org) has >>> any sort of login it's trivial to steal a session cookie. >>> >> >> >> No, it doesn't. Cookies for "python.org (http://python.org)" are not >> available to >> "packages.python.org (http://packages.python.org)". >> It would have to be a cookie for ".python.org (http://python.org)". We don't >> issue such cookies. >> > http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies > > Specifically: > > Note: according to one of the specs, domain wildcards should be marked with a > preceeding period, so .example.com would denote a wildcard match for the > entire domain - including, somewhat confusingly, example.com proper - whereas > foo.example.com would denote an exact host match. Sadly, no browser follows > this logic, and domain=example.com is exactly equivalent to > domain=.example.com. There is no way to limit cookies to a single DNS name > only, other than by not specifying domain= value at all - and even this does > not work in Microsoft Internet Explorer; likewise, there is no way to limit > them to a specific port.
A forced redirect from python.org to www.python.org should fix this, provided that no service on *.python.org uses a .python.org (or python.org) cookie. Also see: http://serverfault.com/questions/153409/can-subdomain-example-com-set-a-cookie-that-can-be-read-by-example-com -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Feb 06 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
