| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Mar 2009 10:00:10 +0100 From: Michal Zalewski <lcamtuf@...edump.cx> To: Phani <pklanka@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Multiple Cookies combined to a single Set-Cookie response > Could anyone put in any thoughts on this... That's a weird question for full-disclosure@ - but yeah, your observations are correct - see the intro text and first bullet here: http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies In general, cookie support is a mess to an extent higher than many other mechanisms. There is an original, half-baked draft from Netscape that reflects bulk of current cookie behavior most accurately; RFC 2109, which attempted to sort it out, but is widely disregarded on most counts, though with some exceptions; and RFC 2965, flat out ignored by most browsers. Every browser has an implementation based on their best reading of these three documents, but each implementation is unique. Multiple cookies per Set-Cookie, cookie ordering, quoted-string handling, and host-scoped cookie behavior are the most important differences (all of which have some security consequences, by the way). /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists