Posted by Bruno on 04/16/06 21:43

Well, I'm not so sure that it's a nasty thing if a frame from a domain has
access to it's own cookies.

In the example I gave, I would intuitively suspect that domain one.com
should have access to cookies created by domain one.com, and that domain
two.com should have access to to cookies created by domain two.com, but they
should not be able to access each other's - That would be an obvious
security breach. You are suggesting thataccessing a cookie from it's own
domain is a breach just because it is contained in a frame? - It does not
make sense.

It strikes me that a frame's contents should be managed as an independant
page (and obviously the feature works in IE if spawned into a "_blank"
window). Perhaps IE is not secure in separating access to a frame's cookies
that are different than it's host frame...

As far as I can see, the contents of the frame belong either to it's own
domain, or the host frame's (which is it?). Setting the cookie as belonging
to one of these two domains should allow me to save values for subsequent
pages. The only alternatives are to pass values as paramters in the page
call (which is inherently more visible to the average user than values
passed in a cookie), or to implement a complex set of forms/posts for
navigation (which would be quite tedious).



"d" <d@example.com> wrote in message
news:KBv0g.54368$wl.37844@text.news.blueyonder.co.uk...
> "Bruno" <2005b@TimesOnThe.Net> wrote in message
> news:D0v0g.106$DR6.12641@news20.bellglobal.com...
>> Yes, but it does actually work on any browser I have seen aside from IE
>> (including Netscape, Firefox Win, Firefox Linux, Safari Mac).
>>
>> The page in the frame does have a domain associated with it, shouldn't
>> the cookie be available to that domain? (But not necessarily to the
>> domain of the hosting frame)
>
> Relying on an obvious security flaw for functionality is not exactly
> planning on the future :)
>
> Having a frame in a page be able to read cookies from the domain in which
> the frame is situated is a nasty thing. Someone could inject a frame into
> a site's HTML somehow, and have that frame bring up a page on a second
> server, and that'll give the second server access to the cookies of the
> first server, on that page. Nasty stuff.
>
>>
>>
>> "Gordon Burditt" <gordonb.ag0mk@burditt.org> wrote in message
>> news:1244t1u3ue2pl1c@corp.supernews.com...
>>> >I have a feature that is hosted on a different domain from the primary
>>> >one
>>>>in a frame, and need to retain values in a cookie.
>>>>
>>>>example: A web page at one.com contains a frame which has a page hosted
>>>>at
>>>>two.com
>>>>
>>>>If I view the frameset from one.com in Firefox, all works well with the
>>>>content from two.com. But if trying to view this using IE (with standard
>>>>security settings), the cookie set by two.com is not accessible.
>>>>
>>>>Have been tinkering with the domain setting in the setcookie function to
>>>>specify the domain: have tried one.com and two.com, but have not been
>>>>able
>>>>to get at the cookie value.
>>>>
>>>>How can I get this to work?
>>>
>>> Hopefully you can't on any browser. Cookies from one domain aren't
>>> supposed to be sent to another. For many, many, uses of cookies,
>>> it's a BIG security hole (you're handing credentials to log into one
>>> web site to another web site, which makes session hijacking easy).
>>>
>>> Gordon L. Burditt
>>
>>
>
>

[Back to original message]