How to solve it Create a p3p policyĪ good starting point is the W3C tutorial. It is possible to make the page inside the IFRAME more trusted: if the inner page sends a P3P header with a privacy policy that is acceptable to IE, the cookies will be accepted. This would have worked, but for political reasons I couldn't do that.) (I've tried setting the session identifier into the form and loading it from POST variables. In this case, when cookies are blocked, session identifier is not sent, and the target script throws a 'session not found' error. If the page inside the IFRAME doesn't have a Privacy Policy, its cookies are blocked (which is indicated by the eye icon in status bar, when you click on it, it shows you a list of blocked URLs). What's happeningĪs it is, Internet Explorer gives lower level of trust to IFRAME pages (IE calls this "third-party" content). I got it to work, but the solution is a bit complex, so bear with me. Similarly, even though the cross domain restriction on XmlHttpRequest isn't 100% successful in preventing all XSS exploits, you'd still never dream of removing the restriction. ![]() HTTP-Only is a useful tool in shoring up against XSS. It boils down to the fact that a) no single improvement will solve all vulnerabilities and b) no system will ever be completely secure. However, if you go back to my example scenario, you can see where HTTP-Only does successfully cut off the XSS attacks which rely on modifying the client's cookies (not uncommon). It does significantly thin the herd of people who can successfully execute even that XSS hack against you though. It appears that Wikipedia and ha.ckers concur with me on this one, but I would love be re-educated. With HTTP-Only cookies, the second step would be impossible, thereby defeating my XSS attempt.Įdit 4: Sorry, I meant that you could send the XMLHttpRequest to the StackOverflow domain, and then save the result of getAllResponseHeaders() to a string, regex out the cookie, and then post that to an external domain. Because he submits it with my cookie data instead of his, the answer will become mine. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |