[vlc-devel] commit: Default enable http forward cookies (Antoine Cellerier )

Antoine Cellerier dionoea at videolan.org
Sat Sep 13 14:55:59 CEST 2008


On Sat, Sep 13, 2008, Rémi Denis-Courmont wrote:
> We don't match the cookie scopes _properly_. So you can end up injecting, or 
> (less likely) leaking a cookie. There may be other cookie problems, as I am 
> not an expert in HTTP security.
>
> IMHO, asking the user makes no sense. If even you cannot answer the question, 
> who can?

The issue, from my point of view, is that it breaks usage of some HTTP
streams which 1/ redirect the user to another url and 2/ require cookies
to make sure that you're not someone accessing the 2nd url without going
through the "official channels" (or whatever).

If the site redirects to someone else, and you trust it enough to try
opening a video stream from it, what could you fear from cookies being
forwarded to the new url? I mean, it's only session ids for a movie
stream ... nothing which is likely to be an issue.

Now, a fallback solution, if I understand what you said correctly, would
be to match the cookie scope properly. What does that imply compared to
what we already do? (I'm trying to sort this out from the usability
point of view)

Cheers,

-- 
Antoine Cellerier
dionoea



More information about the vlc-devel mailing list