On 2010-07-30 1:17 PM, Chris Palmer wrote:
James A. Donald writes:
Presumably cookie scope would also be same origin
Presumably, but very often not in fact. In the Set-Cookie: header you can
specify a broader scope for cookies, and people often do.
But it would not help the attacker to set a broader scope. The attacked
would have to set a broader scope - assuming he is following the
standard measures to avoid cookie fixation.
It is standard to set your cookie scope for the entire website, if you
control the entire website. If your web page is appearing on tahoe, you
do not.
So a local service that mapped all *.tahoe domains to the same IP would
enable same origing protection between tahoe documents.
_______________________________________________
tahoe-dev mailing list
[email protected]
http://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
