On Tue, Sep 15, 2009 at 08:08:06PM +0200, Joerg Sonnenberger wrote:
On Tue, Sep 15, 2009 at 07:36:31PM +0200, Johannes Hofmann wrote:
Or would it be enough to not send cookies or HTTP authentication data when loading such "unsafe" urls?
Cookies have an explicit domain part if they are supposed to apply to more than the current host. HTTP authentication is URL specific or at most host specific.
Not sure if that helps here. If the user has a cookie set that authenticates him at www.hisbank.com and a page on www.badguy.com contains an image with the url http://www.hisbank.com?transfer_to_badguy=100000 the browser would happily send the cookie to www.hisbank.com to authenticate him. Of course www.hisbank.com should have additional checks installed that prevent such misuse. Cheers, Johannes