On Fri, Jun 12, 2015 at 03:43:11PM -0400, Jonathan Billings wrote: > Its technically true, however, XSS attacks can get around that > restriction, which is why you saw so much malware posted on a site > like googleusercontent.com. Sites that allow users to upload content > are always being used to host malware for XSS attacks. But you still > need to be visiting a site with the same domain as the cookie, and > load a compromised page. Plus, if you use HttpOnly cookies, you > have to go through even more complex XSS exploits to get at the > cookie, since they aren't accessible through the DOM model. I should add that the exploits are constantly being addressed by both Web Browser developers as well as developers of extensions like NoScript. Its an arms race. -- Jonathan Billings <billings at negate.org>