[cap-talk] Security considerations for cookies
Adam Barth
w3c at adambarth.com
Wed Feb 17 11:47:44 PST 2010
On Wed, Feb 17, 2010 at 10:04 AM, David Wagner <daw at cs.berkeley.edu> wrote:
> Mark Seaborn wrote:
>>What's not clear to me is which tabs you're saying the attacker can
>>navigate. Suppose the browser has two tabs open:
>> * Tab A: https://webmail.com/users-webmail-webkey
>> * Tab B: https://attacker.com
> [...]
>>Are you saying that the attacker can also cause tab A to navigate to an
>>attacker-supplied web-key?
>
> Adam can give you an authoritative answer. I think it depends
> upon the provenance of Tab A (how it was opened).
The exact details are somewhat complicated (especially in
multi-process browsers). It's easiest to make the assumption that an
attacker can navigate any top-level tab at any time.
Adam
More information about the cap-talk
mailing list