Here's a discussion: http://community.livejournal.com/lj_dev/706058.html?thread=7854602 I ran the tests from the URL above, and received a Cookie Stolen result.
What appears to be happening here is that cookies are set under the paths /javascript/1/ and /javascript/2/. In Frame Test #1, frameset is then loaded (from /javascript/3/frames.html) containing two frames. The frameset document has no direct access to the cookies due to the path restriction. It gains access to the cookie by accessing the child frames document.cookies. Frame Test #2 is similar, only a frame access a sibling frames document.cookies. The window.open test case works with popup blocking disabled. It functions in a similar way -- it opens a popup with window.open, and then retrieves the cookies via the popup windows document.cookies.
Who should this be assigned to and should this be a P1?
Well to be honest, i don't know why it should be P1, as it is, it's assigned just fine so anyone can pick it up :) I will however cc some possible fixers.
Bueller? Bueller? Bueller?
Please, please do NOT "fix" this "bug". Please ignore RFC2965 in part of cookie Path filtering. LJ's discussion states very clear: "path on cookies doesn't help security" and I agree with it. Please don't create yet another "improvement", which would be the real pain with AJAX. Even if you fix this (close direct opportunity for JS), other embedded objects, such as <img>, <link>, <object> etc., can have cookie in http header, -- and web programmers will find way around, increasing mess, lowering secirity. I have seen that Safari does not attach cookie for CSS <link>, wherever other browsers do. Could you please re-focus on fixing such real bugs, instead create more incompatibility problems for server-side programmers? Thank you in advance. --Vladimir Url with test and details: http://www.sfgate.com/cgi-bin/safari/first/start
This is INVALID. There would be many ways to get around the restriction even if we had one.
I agree with Ian. This is definitely INVALID. Marking it as such.