undefined | Better HN

0 pointsjdunck15y ago0 comments

FWIW, non-JS is still a vector. For example, img tags can stomp on cookies. Yes, serving static media over SSL is diminishing returns, and it would suck for mid-stream proxies (and every ISP will hurt from it). But don't argue that it doesn't matter from a security perspective.

0 comments

pmjordan15y ago

When done correctly, it should at least avoid this sort of cookie stealing scenario, though - HTTPS-only cookies won't leak into HTTP requests for non-active content, though malicious Set-Cookie: injection into the HTTP responses can obviously log the user out, etc. and may even reveal unwanted info if the HTTPS server doesn't handle the situation gracefully.

j / k navigate · click thread line to collapse

0 pointsjdunck15y ago0 comments

0 comments

pmjordan15y ago

j / k navigate · click thread line to collapse