AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Postman interceptor header1/11/2024 ![]() I've gone through it, downloaded the IBM Privacy Policy Editor and there I created a representation of the privacy policy and gave it a name to reference it by (here it was policy1). How to solve it Create a p3p policyĪ good starting point is the W3C tutorial. It is possible to make the page inside the IFRAME more trusted: if the inner page sends a P3P header with a privacy policy that is acceptable to IE, the cookies will be accepted. This would have worked, but for political reasons I couldn't do that.) (I've tried setting the session identifier into the form and loading it from POST variables. In this case, when cookies are blocked, session identifier is not sent, and the target script throws a 'session not found' error. If the page inside the IFRAME doesn't have a Privacy Policy, its cookies are blocked (which is indicated by the eye icon in status bar, when you click on it, it shows you a list of blocked URLs). ![]() What's happeningĪs it is, Internet Explorer gives lower level of trust to IFRAME pages (IE calls this "third-party" content). I got it to work, but the solution is a bit complex, so bear with me. Similarly, even though the cross domain restriction on XmlHttpRequest isn't 100% successful in preventing all XSS exploits, you'd still never dream of removing the restriction. HTTP-Only is a useful tool in shoring up against XSS. It boils down to the fact that a) no single improvement will solve all vulnerabilities and b) no system will ever be completely secure. However, if you go back to my example scenario, you can see where HTTP-Only does successfully cut off the XSS attacks which rely on modifying the client's cookies (not uncommon). It does significantly thin the herd of people who can successfully execute even that XSS hack against you though. It appears that Wikipedia and ha.ckers concur with me on this one, but I would love be re-educated. With HTTP-Only cookies, the second step would be impossible, thereby defeating my XSS attempt.Įdit 4: Sorry, I meant that you could send the XMLHttpRequest to the StackOverflow domain, and then save the result of getAllResponseHeaders() to a string, regex out the cookie, and then post that to an external domain. Because he submits it with my cookie data instead of his, the answer will become mine.Jeff submits a stellar answer to your question.Jeff loads the page and my malicious JavaScript modifies his cookie to match mine.I find an avenue to inject JavaScript code into the page.If the purpose of Http-Only is to prevent JavaScript access to cookies, and you can still retrieve the cookies via JavaScript through the XmlHttpRequest Object, what is the point of Http-Only? Unless you had compromised on the server side, you wouldn't be able to steal my cookie.Įdit 2: Question 2. You could normally inject script to send the cookie to your domain using iframe remoting or JSONP, but then HTTP-Only protects the cookie again since it's inaccessible. XmlHttpRequest won't make cross-domain requests (for exactly the sorts of reasons you're touching on). In your example, I cannot write to your okie, but I can still steal your cookie and post it to my domain using the XMLHttpRequest object. You need some method for identifying the user behind each request, and cookies are almost always the means to that end. ![]() However, if you want to provide security for AJAX enabled functionality, then the same rules apply as with traditional sites. XmlHttpRequest support (or even iframe remoting, on older browsers) is all that is technically required. More generally, cookies are not required for AJAX. I don't know the implementation details of the Stack Overflow authentication provider, but that cookie data is probably automatically used to verify your identity at a lower level than the "vote" controller method. ![]() In the case of Stack Overflow, the cookies are automatically provided as part of the XmlHttpRequest request. They will still be provided with the XmlHttpRequest's request to the server. Yes, HTTP-Only cookies would be fine for this functionality. ![]()
0 Comments
Read More
Leave a Reply. |