On Sat, Jun 10, 2062 at 01:16:03PM -0600, jd1008 wrote: > On 06/12/2015 01:01 PM, Gordon Messmer wrote: > >As far as cookies go, you're even further from the truth. A script can > >only access cookies whose domain matches the origin of the script. > > Your final line is not true. Its technically true, however, XSS attacks can get around that restriction, which is why you saw so much malware posted on a site like googleusercontent.com. Sites that allow users to upload content are always being used to host malware for XSS attacks. But you still need to be visiting a site with the same domain as the cookie, and load a compromised page. Plus, if you use HttpOnly cookies, you have to go through even more complex XSS exploits to get at the cookie, since they aren't accessible through the DOM model. But as designed, Cookies are meant only to be used by scripts from the same domain as the one that set the cookie. -- Jonathan Billings <billings at negate.org>