[vlc-devel] commit: Default enable http forward cookies (Antoine Cellerier )

Rémi Denis-Courmont rem at videolan.org
Sat Sep 13 15:18:47 CEST 2008


Le samedi 13 septembre 2008 15:55:59 Antoine Cellerier, vous avez écrit :
> The issue, from my point of view, is that it breaks usage of some HTTP
> streams which 1/ redirect the user to another url and 2/ require cookies
> to make sure that you're not someone accessing the 2nd url without going
> through the "official channels" (or whatever).
>
> If the site redirects to someone else, and you trust it enough to try
> opening a video stream from it, what could you fear from cookies being
> forwarded to the new url? I mean, it's only session ids for a movie
> stream ... nothing which is likely to be an issue.

That's why I'm saying it's probably a bigger (small) problem in the other 
direction - some evil dude tricks you into opening a URL, feeds you an evil 
cookie and redirects you to a third party misinterpreting the cookie.

> Now, a fallback solution, if I understand what you said correctly, would
> be to match the cookie scope properly. What does that imply compared to
> what we already do? (I'm trying to sort this out from the usability
> point of view)

Making sure that the cookie cannot pretend to be from another domain that it 
is, and making sure that a domain cannot ask for a cookie it should not get. 
I have not looked at the Cookie spec in depth, because I do not care about 
this feature.

-- 
Rémi Denis-Courmont
http://git.remlab.net/cgi-bin/gitweb.cgi?p=vlc-courmisch.git;a=summary



More information about the vlc-devel mailing list