On Thu, 25 Sep 2008 22:17:00 +0200, Collin Jackson <[EMAIL PROTECTED]>
wrote:
6) New cookie attribute: The "httpOnly" cookie flag allows sites to
put restrictions on how a cookie can be accessed. We could allow a new
flag to be specified in the Set-Cookie header that is designed to
prevent CSRF and "UI redress" attacks. If a cookie is set with a
"sameOrigin" flag, we could prevent that cookie from being sent on
HTTP requests that are initiated by other origins, or were made by
frames with ancestors of other origins. In a CSRF or "UI redress"
attack scenario, it will appear as though the user is not logged in,
and thus the HTTP request will be unable to affect the user's account.
This flag could potentially use the cookie concept of same origin
rather than the HTML5 concept of same origin: ignore port, ignore
scheme unless "secure" flag is set, "domain" attribute can be used to
relax domain comparison.
Pros:
- Only need to change one line of code where the login cookie is set,
entire site is protected
Cons:
- "Opt-in" (sites remain vulnerable unless action is taken)
- Would need to test this to make sure it doesn't break legacy
browser cookie handling
(Adam and I got this idea from someone else, but we don't remember who
it was.)
Probably somewhere on the public-webapps or public-webapi list in context
of cross-domain XMLHttpRequest. Anyway, this wouldn't work for login based
on HTTP authentication or based on IP address or something.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
