stackoom
  简体   繁体   中英

Cookies and iframes, how to deal with them?

 原文  2011-01-10 20:20:46       cookies/ iframe/ security

Question

The other day I discovered that iexplorer is not accepting cookies from an iframe unless the iframe provides P3P authorization. At first, I was like "WTF?", but today I was wondering about the bad things that could happen.

For example, I have a website named herp.com , where you can delete a product with http://herp.com/product/111/delete (I know this is a bad practice, GET should be indepotent). Then a malicious webmaster creates a web in http://derp.com with an iframe to http://herp.com/product/111/delete , so... if I, as logged user in herp.com , open derp.com with my browser... will I delete the product 111?

Which more issues should I be afraid of?

Thanks in advance.

1 answers

solution1
 1 ACCPTED  2011-01-10 21:14:11

You should be more afraid of your http GET causing a delete. The scenario you are describing is not much different than throwing a redirect on a page from derp.com to herp.com/product/111/delete. In either scenario, the user will unknowingly load herp.com, and the browser will automatically supply any cookies for that site.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question iFrames and Cookies how iframes can access cookies on a separate domain How to Deal with Cookies in Varnish stack How to deal with with cookies, settings persistence How to deal with GoogleWebLight and cookies when redirecting How to deal with Python 2 cookies on a Python 3 Flask website? X-Domain Cookies in iFrames How to deal with the server sending two different cookies for consecutive requests? How to store cookies, and reuse them in another session Django Cookies, how can I set them?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM