flickr.com and login.yahoo.com and all those
Arioch
Instead i was twice redirected to login.yahoo.com and then to
http://www.flickr.com/register_cookies.gne
Telling me that my ogin/passwrd are ok, but due to cookies i have way to
be logged in.
At last i managed to do it, setting both sites to read and write al
cookies for any site theyd like.
But that is quite insecure, isn't it ?
Can something be done to make Yahoo respect Opera and to pass critical
info via HTTP FORMs anf let each site manages its cookies on its own ?
PS: while i do think HTML5 project is to extend HTTP cookies headers to
allow controllable cross-site cookie access.
--
Используется революционный почтовый клиент браузера Opera:
http://www.opera.com/mail/
Rijk van Geijtenbeek
<the_A...@nm.falsedomain.ru>:
> Just got a troube - no matte what i tried - i could not log into Flickr.
> Instead i was twice redirected to login.yahoo.com and then to
> http://www.flickr.com/register_cookies.gne
> Telling me that my ogin/passwrd are ok, but due to cookies i have way to
> be logged in.
>
> At last i managed to do it, setting both sites to read and write al
> cookies for any site theyd like.
> But that is quite insecure, isn't it ?
Insecure is not the right wor probably, but both Yahoo and its advertisers
can see which Yahoo pages you visit. Instead of just Yahoo being able to
see which Yahoo pages you visit. Depends a bit on what you do on Yahoo.com
and your threshold for privacy violations is this is a problem for you.
Personally I'm not that afraid, but I do set Opera to remove new cookies
on exit because they annoy me...
> Can something be done to make Yahoo respect Opera and to pass critical
> info via HTTP FORMs anf let each site manages its cookies on its own ?
>
> PS: while i do think HTML5 project is to extend HTTP cookies headers to
> allow controllable cross-site cookie access.
We can hope they can figure out something that works *and* is interesting
enough for sites to start using. The problem of figuring out which servers
belong to the same owner (and can be trusted to share stuff) and which
don't is a hard one.
--
Rijk van Geijtenbeek
Opera Software ASA, Documentation & QA
Tweak: http://my.opera.com/Rijk/blog/
"The most common way to get usability wrong is to listen to what users
say rather than actually watching what they do." - J.Nielsen
Arioch
> advertisers can see which Yahoo pages you visit.
since cookie carries some password-related hash (autologin), cannot some
3rdparty site just hijack my password ?
> We can hope they can figure out something that works *and* is
> interesting enough for sites to start using. The problem of figuring out
> which servers belong to the same owner (and can be trusted to share
> stuff) and which don't is a hard one.
Surely browser cannot know this, otherwise there would not be such problem
at all.
However with modifying HTTP, i canno see why it ccanno be done.
Most easy thing to imagine is some predefined URL, like /index.html and
/favicon.ico
Server A wants to read cookie of server B
Opera makes request to B HTTP/HEAD
/cookie_check?from=A/bla-bla/bla.html&cookie=name1;name2;name3&access=read
B responses with 404 (Brr... whad'ya mean?), 200 (i know this server,
access OK) or 403 (no, it is alien server)
Or with 302 (Hmm, we have special server for this)
If both servers A and B belongs to same organisation - they can set such a
scheme.
PS: BTW, "from" parameter is not required, it is just duplicate for HTTP
Referer
Arioch
<ri...@opera.invalid.removethis.com> сообщал:
> Can something be done to make Yahoo respect Opera and
Stil think you have to fix it before Opera 9.5 final.
Either by contacts with Yahoo or by lowering security leve for
Yahoo-related site in Opera itself.