[vlc-devel] commit: Default enable http forward cookies (Antoine Cellerier )

Rémi Denis-Courmont rem at videolan.org
Sat Sep 13 14:39:49 CEST 2008

Le samedi 13 septembre 2008 15:32:29 Antoine Cellerier, vous avez écrit :
> On Sat, Sep 13, 2008, Laurent Aimar wrote:
> >  As it seems that this option is not that harmless, why not simply use
> > the interface interaction stuff ?
> >
> >  You could change http-forward-cookies to Yes/No/Ask with "Ask" being the
> > default.
> >  Then when a cookie has to be forwarded you coukd ask the user if he
> > accept (with "No" being the default answer).
> Good idea. I still honestly don't understand how this can be a security
> issue.

We don't match the cookie scopes _properly_. So you can end up injecting, or 
(less likely) leaking a cookie. There may be other cookie problems, as I am 
not an expert in HTTP security.

IMHO, asking the user makes no sense. If even you cannot answer the question, 
who can?

Rémi Denis-Courmont

More information about the vlc-devel mailing list