[Catalog-sig] Fwd: readthedocs.org or packages.python.org?
Donald Stufft
donald.stufft at gmail.com
Wed Feb 6 23:28:46 CET 2013
On Wednesday, February 6, 2013 at 5:06 PM, martin at v.loewis.de wrote:
> > Javascript hosted on packages.python.org (http://packages.python.org) has access to cookies on
> > python.org (http://python.org), If python.org (http://python.org) has
> > any sort of login it's trivial to steal a session cookie.
> >
>
>
> No, it doesn't. Cookies for "python.org (http://python.org)" are not available to
> "packages.python.org (http://packages.python.org)".
> It would have to be a cookie for ".python.org (http://python.org)". We don't issue such cookies.
>
http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
Specifically:
Note: according to one of the specs, domain wildcards should be marked with a preceeding period, so .example.com would denote a wildcard match for the entire domain - including, somewhat confusingly, example.com proper - whereas foo.example.com would denote an exact host match. Sadly, no browser follows this logic, and domain=example.com is exactly equivalent to domain=.example.com. There is no way to limit cookies to a single DNS name only, other than by not specifying domain= value at all - and even this does not work in Microsoft Internet Explorer; likewise, there is no way to limit them to a specific port.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130206/1e073f39/attachment-0001.html>
More information about the Catalog-SIG
mailing list