[cap-talk] Security considerations for cookies
Adam Barth
w3c at adambarth.com
Tue Feb 16 17:54:26 PST 2010
On Tue, Feb 16, 2010 at 5:40 PM, Bill Frantz <frantz at pwpconsult.com> wrote:
> w3c at adambarth.com (Adam Barth) on Monday, February 15, 2010 wrote:
>>On Mon, Feb 15, 2010 at 11:15 PM, David Wagner <daw at cs.berkeley.edu> wrote:
>>> A related threat is that an arbitrary site may be able to delete
>>> all cookies, even of other sites.
>>> http://kuza55.blogspot.com/2008/02/understanding-cookie-security.html
>>> Implication: Whatever protocol you use that uses cookies ought to
>>> be resilient to malicious deletion of cookies. I'm not sure if this
>>> was mentioned in Adam's document.
>>
>>Good point. I've added this text:
>>
>>[[
>> <t>Finally, an attacker might be able to force the user agent to
>> delete cookies by storing large number of cookies. Once the user agent
>> reaches its storage limit, the user agent will be forced to evict some
>> cookies. Servers SHOULD NOT rely upon user agents retaining
>> cookies.</t>
>>]]
>
> Even stronger, Safari has a UI for deleting cookies. I use it frequently.
> If I weren't so lazy I might have a program to mutate them instead. :-)
Indeed. The non-malicious deletion of cookies is mentioned in the
main text of the spec.
Adam
More information about the cap-talk
mailing list