[vlc-devel] commit: Default enable http forward cookies (Antoine Cellerier )
Rémi Denis-Courmont
rem at videolan.org
Sat Sep 13 14:39:49 CEST 2008
Le samedi 13 septembre 2008 15:32:29 Antoine Cellerier, vous avez écrit :
> On Sat, Sep 13, 2008, Laurent Aimar wrote:
> > As it seems that this option is not that harmless, why not simply use
> > the interface interaction stuff ?
> >
> > You could change http-forward-cookies to Yes/No/Ask with "Ask" being the
> > default.
> > Then when a cookie has to be forwarded you coukd ask the user if he
> > accept (with "No" being the default answer).
>
> Good idea. I still honestly don't understand how this can be a security
> issue.
We don't match the cookie scopes _properly_. So you can end up injecting, or
(less likely) leaking a cookie. There may be other cookie problems, as I am
not an expert in HTTP security.
IMHO, asking the user makes no sense. If even you cannot answer the question,
who can?
--
Rémi Denis-Courmont
http://git.remlab.net/cgi-bin/gitweb.cgi?p=vlc-courmisch.git;a=summary
More information about the vlc-devel
mailing list